From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omzsmtpe02.verizonbusiness.com ([199.249.25.209]:38886 "EHLO omzsmtpe02.verizonbusiness.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932328AbdJKAp6 (ORCPT ); Tue, 10 Oct 2017 20:45:58 -0400 From: "Levin, Alexander (Sasha Levin)" To: "gregkh@linuxfoundation.org" CC: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: [GIT PULL for-4.9 06/48] mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length Date: Wed, 11 Oct 2017 00:45:20 +0000 Message-ID: <20171011004512.7949-7-alexander.levin@verizon.com> References: <20171011004512.7949-1-alexander.levin@verizon.com> In-Reply-To: <20171011004512.7949-1-alexander.levin@verizon.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: From: Johannes Berg [ Upstream commit ff4dd73dd2b4806419f8ff65cbce11d5019548d0 ] Unfortunately, the nla policy was defined to have HWSIM_ATTR_RADIO_NAME as an NLA_STRING, rather than NLA_NUL_STRING, so we can't use it as a NUL-terminated string in the kernel. Rather than break the API, kasprintf() the string to a new buffer to guarantee NUL termination. Reported-by: Andrew Zaborowski Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- drivers/net/wireless/mac80211_hwsim.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/m= ac80211_hwsim.c index c06932c5ecdb..d2a28a9d3209 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3046,6 +3046,7 @@ static int hwsim_register_received_nl(struct sk_buff = *skb_2, static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info) { struct hwsim_new_radio_params param =3D { 0 }; + const char *hwname =3D NULL; =20 param.reg_strict =3D info->attrs[HWSIM_ATTR_REG_STRICT_REG]; param.p2p_device =3D info->attrs[HWSIM_ATTR_SUPPORT_P2P_DEVICE]; @@ -3059,8 +3060,14 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, s= truct genl_info *info) if (info->attrs[HWSIM_ATTR_NO_VIF]) param.no_vif =3D true; =20 - if (info->attrs[HWSIM_ATTR_RADIO_NAME]) - param.hwname =3D nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]); + if (info->attrs[HWSIM_ATTR_RADIO_NAME]) { + hwname =3D kasprintf(GFP_KERNEL, "%.*s", + nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]), + (char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME])); + if (!hwname) + return -ENOMEM; + param.hwname =3D hwname; + } =20 if (info->attrs[HWSIM_ATTR_USE_CHANCTX]) param.use_chanctx =3D true; @@ -3088,11 +3095,15 @@ static int hwsim_del_radio_nl(struct sk_buff *msg, = struct genl_info *info) s64 idx =3D -1; const char *hwname =3D NULL; =20 - if (info->attrs[HWSIM_ATTR_RADIO_ID]) + if (info->attrs[HWSIM_ATTR_RADIO_ID]) { idx =3D nla_get_u32(info->attrs[HWSIM_ATTR_RADIO_ID]); - else if (info->attrs[HWSIM_ATTR_RADIO_NAME]) - hwname =3D (void *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]); - else + } else if (info->attrs[HWSIM_ATTR_RADIO_NAME]) { + hwname =3D kasprintf(GFP_KERNEL, "%.*s", + nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]), + (char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME])); + if (!hwname) + return -ENOMEM; + } else return -EINVAL; =20 spin_lock_bh(&hwsim_radio_lock); @@ -3101,7 +3112,8 @@ static int hwsim_del_radio_nl(struct sk_buff *msg, st= ruct genl_info *info) if (data->idx !=3D idx) continue; } else { - if (strcmp(hwname, wiphy_name(data->hw->wiphy))) + if (!hwname || + strcmp(hwname, wiphy_name(data->hw->wiphy))) continue; } =20 @@ -3112,10 +3124,12 @@ static int hwsim_del_radio_nl(struct sk_buff *msg, = struct genl_info *info) spin_unlock_bh(&hwsim_radio_lock); mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy), info); + kfree(hwname); return 0; } spin_unlock_bh(&hwsim_radio_lock); =20 + kfree(hwname); return -ENODEV; } =20 --=20 2.11.0