[PATCH] wireless: radiotap: fix parsing buffer overrun

Linux wireless drivers development
 help / color / mirror / Atom feed

* [PATCH] wireless: radiotap: fix parsing buffer overrun
@ 2013-10-11 12:53 Johannes Berg
  2013-10-14  7:45 ` Johannes Berg
  0 siblings, 1 reply; 2+ messages in thread
From: Johannes Berg @ 2013-10-11 12:53 UTC (permalink / raw)
  To: linux-wireless; +Cc: Johannes Berg

From: Johannes Berg <johannes.berg@intel.com>

When parsing an invalid radiotap header, the parser can overrun
the buffer that is passed in because it doesn't correctly check
 1) the minimum radiotap header size
 2) the space for extended bitmaps

The first issue doesn't affect any in-kernel user as they all
check the minimum size before calling the radiotap function.
The second issue could potentially affect the kernel if an skb
is passed in that consists only of the radiotap header with a
lot of extended bitmaps that extend past the SKB. In that case
a read-only buffer overrun by at most 4 bytes is possible.

Fix this by adding the appropriate checks to the parser.

Cc: stable@vger.kernel.org
Reported-by: Evan Huus <eapache@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/wireless/radiotap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/wireless/radiotap.c b/net/wireless/radiotap.c
index 7d604c0..6c67926 100644
--- a/net/wireless/radiotap.c
+++ b/net/wireless/radiotap.c
@@ -102,6 +102,8 @@ int ieee80211_radiotap_iterator_init(
 		return -EINVAL;
 
 	/* sanity check for allowed length and radiotap length field */
+	if (max_length < sizeof(struct ieee80211_radiotap_header))
+		return -EINVAL;
 	if (max_length < get_unaligned_le16(&radiotap_header->it_len))
 		return -EINVAL;
 
@@ -131,7 +133,8 @@ int ieee80211_radiotap_iterator_init(
 			 */
 
 			if ((unsigned long)iterator->_arg -
-			    (unsigned long)iterator->_rtheader >
+			    (unsigned long)iterator->_rtheader +
+			    sizeof(uint32_t >
 			    (unsigned long)iterator->_max_length)
 				return -EINVAL;
 		}
-- 
1.8.4.rc3


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] wireless: radiotap: fix parsing buffer overrun
  2013-10-11 12:53 [PATCH] wireless: radiotap: fix parsing buffer overrun Johannes Berg
@ 2013-10-14  7:45 ` Johannes Berg
  0 siblings, 0 replies; 2+ messages in thread
From: Johannes Berg @ 2013-10-14  7:45 UTC (permalink / raw)
  To: linux-wireless

On Fri, 2013-10-11 at 14:53 +0200, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@intel.com>
> 
> When parsing an invalid radiotap header, the parser can overrun
> the buffer that is passed in because it doesn't correctly check
>  1) the minimum radiotap header size
>  2) the space for extended bitmaps
> 
> The first issue doesn't affect any in-kernel user as they all
> check the minimum size before calling the radiotap function.
> The second issue could potentially affect the kernel if an skb
> is passed in that consists only of the radiotap header with a
> lot of extended bitmaps that extend past the SKB. In that case
> a read-only buffer overrun by at most 4 bytes is possible.
> 
> Fix this by adding the appropriate checks to the parser.

Applied (with another fix pointed out by Evan)

johannes


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-10-14  7:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-11 12:53 [PATCH] wireless: radiotap: fix parsing buffer overrun Johannes Berg
2013-10-14  7:45 ` Johannes Berg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox