[PATCH 2/2] Check protocol number in nl80211 netlink socket release notification handler.

[PATCH 2/2] Check protocol number in nl80211 netlink socket release notification handler.

[Dmitry Ivanov]

This patch corrects the problem where non-privileged user can create
netlink socket with the same port_id as used by hostapd but different
protocol number. Upon close() or process termination, a notification is
sent  to nl80211 subsystem which will destroy virtual wireless network
interfaces created by hostapd like it just died but in fact hostapd is
still running. This is possible because port_id is unique within particular
protocol number only.

Fixes: 026331c4d9b5 ("cfg80211/mac80211: allow registering for and sending action frames")
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
---
 net/wireless/nl80211.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 98c9242..056a730 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -13216,7 +13216,7 @@ static int nl80211_netlink_notify(struct notifier_block * nb,
 	struct wireless_dev *wdev;
 	struct cfg80211_beacon_registration *reg, *tmp;
 
-	if (state != NETLINK_URELEASE)
+	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
 		return NOTIFY_DONE;
 
 	rcu_read_lock();
-- 
2.1.4

Re: [PATCH 2/2] Check protocol number in nl80211 netlink socket release notification handler.

[Johannes Berg]

On Wed, 2016-04-06 at 17:23 +0300, Dmitry Ivanov wrote:
> This patch corrects the problem where non-privileged user can create
> netlink socket with the same port_id as used by hostapd but different
> protocol number. Upon close() or process termination, a notification
> is
> sent  to nl80211 subsystem which will destroy virtual wireless
> network
> interfaces created by hostapd like it just died but in fact hostapd
> is
> still running. This is possible because port_id is unique within
> particular
> protocol number only.
> 
Applied.

johannes