Home Explore Help
Sign In
PUBLIC_REPOS
/
ti-processor-sdk-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

nl80211: validate beacon head

commit f88eb7c0d002a67ef31aeb7850b42ff69abc46dc upstream.

We currently don't validate the beacon head, i.e. the header,
fixed part and elements that are to go in front of the TIM
element. This means that the variable elements there can be
malformed, e.g. have a length exceeding the buffer size, but
most downstream code from this assumes that this has already
been checked.

Add the necessary checks to the netlink policy.

Cc: stable@vger.kernel.org
Fixes: ed1b6cc7f80f ("cfg80211/nl80211: add beacon settings")
Link: https://lore.kernel.org/r/1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johannes Berg 6 years ago
parent
527ba5d763
commit
1bd17a737c
1 changed files with 38 additions and 0 deletions
Unified View Show Diff Stats
  1. 38 0
      net/wireless/nl80211.c

+ 38 - 0
net/wireless/nl80211.c
View File 

@@ -200,6 +200,38 @@ cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
 
 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
 
 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
 
 }
 
 }
 
 
 
+static int validate_beacon_head(const struct nlattr *attr,
 
+				struct netlink_ext_ack *extack)
 
+{
 
+	const u8 *data = nla_data(attr);
 
+	unsigned int len = nla_len(attr);
 
+	const struct element *elem;
 
+	const struct ieee80211_mgmt *mgmt = (void *)data;
 
+	unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
 
+					 u.beacon.variable);
 
+
 
+	if (len < fixedlen)
 
+		goto err;
 
+
 
+	if (ieee80211_hdrlen(mgmt->frame_control) !=
 
+	    offsetof(struct ieee80211_mgmt, u.beacon))
 
+		goto err;
 
+
 
+	data += fixedlen;
 
+	len -= fixedlen;
 
+
 
+	for_each_element(elem, data, len) {
 
+		/* nothing */
 
+	}
 
+
 
+	if (for_each_element_completed(elem, data, len))
 
+		return 0;
 
+
 
+err:
 
+	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
 
+	return -EINVAL;
 
+}
 
+
 
 /* policy for the attributes */
 
 /* policy for the attributes */
 
 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
 
 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
 
 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
 
 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
 
@@ -4016,6 +4048,12 @@ static int nl80211_parse_beacon(struct nlattr *attrs[],
 
 	memset(bcn, 0, sizeof(*bcn));
 
 	memset(bcn, 0, sizeof(*bcn));
 
 
 
 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
 
 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
 
+		int ret = validate_beacon_head(attrs[NL80211_ATTR_BEACON_HEAD],
 
+					       NULL);
 
+
 
+		if (ret)
 
+			return ret;
 
+
 
 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
 
 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
 
 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
 
 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
 
 		if (!bcn->head_len)
 
 		if (!bcn->head_len)