From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Srinivas Dasari <dasaris@qti.qualcomm.com>,
Jouni Malinen <jouni@qca.qualcomm.com>,
Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 3.18 07/28] cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES
Date: Wed, 19 Jul 2017 13:15:35 +0200 [thread overview]
Message-ID: <20170719111319.355411675@linuxfoundation.org> (raw)
In-Reply-To: <20170719111319.044769907@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Dasari <dasaris@qti.qualcomm.com>
commit d7f13f7450369281a5d0ea463cc69890a15923ae upstream.
validate_scan_freqs() retrieves frequencies from attributes
nested in the attribute NL80211_ATTR_SCAN_FREQUENCIES with
nla_get_u32(), which reads 4 bytes from each attribute
without validating the size of data received. Attributes
nested in NL80211_ATTR_SCAN_FREQUENCIES don't have an nla policy.
Validate size of each attribute before parsing to avoid potential buffer
overread.
Fixes: 2a519311926 ("cfg80211/nl80211: scanning (and mac80211 update to use it)")
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/nl80211.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5348,6 +5348,10 @@ static int validate_scan_freqs(struct nl
struct nlattr *attr1, *attr2;
int n_channels = 0, tmp1, tmp2;
+ nla_for_each_nested(attr1, freqs, tmp1)
+ if (nla_len(attr1) != sizeof(u32))
+ return 0;
+
nla_for_each_nested(attr1, freqs, tmp1) {
n_channels++;
/*
next prev parent reply other threads:[~2017-07-19 11:16 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-19 11:15 [PATCH 3.18 00/28] 3.18.62-stable review Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 01/28] ipv6: avoid unregistering inet6_dev for loopback Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 02/28] tcp: reset sk_rx_dst in tcp_disconnect() Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 03/28] net: prevent sign extension in dev_get_stats() Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 04/28] ipv6: dad: dont remove dynamic addresses if link is down Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 06/28] cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE Greg Kroah-Hartman
2017-07-19 11:15 ` Greg Kroah-Hartman [this message]
2017-07-19 11:15 ` [PATCH 3.18 08/28] cfg80211: Check if PMKID attribute is of expected size Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 09/28] irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 10/28] parisc: Report SIGSEGV instead of SIGBUS when running out of stack Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 11/28] parisc: use compat_sys_keyctl() Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 12/28] parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 13/28] parisc/mm: Ensure IRQs are off in switch_mm() Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 14/28] tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 15/28] kernel/extable.c: mark core_kernel_text notrace Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 16/28] fs/dcache.c: fix spin lockup issue on nlru->lock Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 17/28] checkpatch: silence perl 5.26.0 unescaped left brace warnings Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 18/28] exec: Limit arg stack to at most 75% of _STK_LIM Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 19/28] vt: fix unchecked __put_user() in tioclinux ioctls Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 22/28] crypto: atmel - only treat EBUSY as transient if backlog Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 23/28] crypto: sha1-ssse3 - Disable avx2 Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 25/28] sched/topology: Optimize build_group_mask() Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 26/28] sched/topology: Fix overlapping sched_group_mask Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 27/28] PM / QoS: return -EINVAL for bogus strings Greg Kroah-Hartman
2017-07-19 11:15 ` [PATCH 3.18 28/28] tracing: Use SOFTIRQ_OFFSET for softirq dectection for more accurate results Greg Kroah-Hartman
2017-07-19 20:31 ` [PATCH 3.18 00/28] 3.18.62-stable review Guenter Roeck
2017-07-19 23:40 ` Shuah Khan
2017-07-20 5:07 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170719111319.355411675@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dasaris@qti.qualcomm.com \
--cc=johannes.berg@intel.com \
--cc=jouni@qca.qualcomm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).