Skip to content

Commit 6df4d17

Browse files
davem330davem330
committed
Merge tag 'mac80211-for-davem-2017-10-09' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
Johannes Berg says: ==================== pull-request: mac80211 2017-10-09 The QCA folks found another netlink problem - we were missing validation of some attributes. It's not super problematic since one can only read a few bytes beyond the message (and that memory must exist), but here's the fix for it. I thought perhaps we can make nla_parse_nested() require a policy, but given the two-stage validation/parsing in regular netlink that won't work. Please pull and let me know if there's any problem. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2 parents 93b0319 + ad67023 commit 6df4d17

File tree

1 file changed

+12
-2
lines changed

1 file changed

+12
-2
lines changed

net/wireless/nl80211.c

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -549,6 +549,14 @@ nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
549549
[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
550550
};
551551

552+
/* policy for packet pattern attributes */
553+
static const struct nla_policy
554+
nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
555+
[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
556+
[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
557+
[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
558+
};
559+
552560
static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
553561
struct netlink_callback *cb,
554562
struct cfg80211_registered_device **rdev,
@@ -10532,7 +10540,8 @@ static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
1053210540
u8 *mask_pat;
1053310541

1053410542
nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
10535-
NULL, info->extack);
10543+
nl80211_packet_pattern_policy,
10544+
info->extack);
1053610545
err = -EINVAL;
1053710546
if (!pat_tb[NL80211_PKTPAT_MASK] ||
1053810547
!pat_tb[NL80211_PKTPAT_PATTERN])
@@ -10781,7 +10790,8 @@ static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
1078110790
rem) {
1078210791
u8 *mask_pat;
1078310792

10784-
nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat, NULL, NULL);
10793+
nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
10794+
nl80211_packet_pattern_policy, NULL);
1078510795
if (!pat_tb[NL80211_PKTPAT_MASK] ||
1078610796
!pat_tb[NL80211_PKTPAT_PATTERN])
1078710797
return -EINVAL;

0 commit comments

Comments
 (0)