From: Greg KH <greg@kroah.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, stable@vger.kernel.org,
Johannes Berg <johannes.berg@intel.com>
Subject: Re: [PATCH 4.4, 4.9, 4.14, 4.19] nl80211: validate beacon head
Date: Wed, 9 Oct 2019 11:43:10 +0200 [thread overview]
Message-ID: <20191009094310.GA3945119@kroah.com> (raw)
In-Reply-To: <1570603265-@changeid>
On Wed, Oct 09, 2019 at 08:41:09AM +0200, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@intel.com>
>
> Commit 8a3347aa110c76a7f87771999aed491d1d8779a8 upstream.
>
> We currently don't validate the beacon head, i.e. the header,
> fixed part and elements that are to go in front of the TIM
> element. This means that the variable elements there can be
> malformed, e.g. have a length exceeding the buffer size, but
> most downstream code from this assumes that this has already
> been checked.
>
> Add the necessary checks to the netlink policy.
>
> Cc: stable@vger.kernel.org
> Fixes: ed1b6cc7f80f ("cfg80211/nl80211: add beacon settings")
> Link: https://lore.kernel.org/r/1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef@changeid
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> ---
> net/wireless/nl80211.c | 38 ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 38 insertions(+)
>
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 6168db3c35e4..4a10ab388e0b 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -200,6 +200,38 @@ cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
> return __cfg80211_rdev_from_attrs(netns, info->attrs);
> }
>
> +static int validate_beacon_head(const struct nlattr *attr,
> + struct netlink_ext_ack *extack)
> +{
> + const u8 *data = nla_data(attr);
> + unsigned int len = nla_len(attr);
> + const struct element *elem;
> + const struct ieee80211_mgmt *mgmt = (void *)data;
> + unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
> + u.beacon.variable);
> +
> + if (len < fixedlen)
> + goto err;
> +
> + if (ieee80211_hdrlen(mgmt->frame_control) !=
> + offsetof(struct ieee80211_mgmt, u.beacon))
> + goto err;
> +
> + data += fixedlen;
> + len -= fixedlen;
> +
> + for_each_element(elem, data, len) {
> + /* nothing */
> + }
for_each_element() is not in 4.4, 4.9, 4.14, or 4.19, so this breaks the
build :(
I'll drop this from my queues for now.
thanks,
greg k-h
next prev parent reply other threads:[~2019-10-09 9:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-09 6:41 [PATCH 4.4, 4.9, 4.14, 4.19] nl80211: validate beacon head Johannes Berg
2019-10-09 9:27 ` Greg KH
2019-10-09 9:29 ` Johannes Berg
2019-10-09 9:43 ` Greg KH [this message]
2019-10-09 9:44 ` Johannes Berg
2019-10-09 13:36 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191009094310.GA3945119@kroah.com \
--to=greg@kroah.com \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.