Received: by 10.223.185.116 with SMTP id b49csp2286302wrg; Thu, 22 Feb 2018 11:08:20 -0800 (PST) X-Google-Smtp-Source: AH8x226SnRTOgHtvY3vMjhSx5G3qfkwF/gsoA4PVRR2MFQ1Ki7J3NIKKwbBx0rMG2db2r2vHQ5/N X-Received: by 2002:a17:902:27:: with SMTP id 36-v6mr7524202pla.128.1519326500183; Thu, 22 Feb 2018 11:08:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519326500; cv=none; d=google.com; s=arc-20160816; b=xk3l4QDErFdIWgNr+ysjLdHERPQizpQ8Uw05l4ff2lgYTMkpaRF6+/vYHe6MpgT27J ZXnTaTRaYViuZFzKHzcL7K2haITsuOd5pTGvZzmI26iIGxx2WehI6U4zQ0U4bzpIpu1N n+PNYyl4N6SA8dwPNKcniPz9eovBE06Htff7jDxRf4uyHL3iczyr2RT0iB3dsMUPNIop itlk9ViEHPlaNgMSV5N81z6LxKOYdRqrlsR576/nuDCIj619t3t6Edcsv45DuDxRSOJc PvjyIBAx68UDiuwjBdruBOJSICnNFTMW51pbsciapYfe8Y5wAyoN0qzuYRIDh64IuSGu HVFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date :arc-authentication-results; bh=9Bgi2XkUV0hWlmAfQ14NI2Zu7ZrQJwsCjmF0XsRYEtc=; b=W1mAITyMyvK6pv/g3qmWrtxgiA4chcEv8pnd9M1Qz6UbpQZQrCyIFfbvxJnzYozLmx GCrAVjMpZ2y+sLb74IOxfohpQNifYHv/ck1oPKtUb2FwyHrPanicf6wNf83wr6XB3Vdp HABkFpqdLCInarllVGJRrNAmBL30AtqFvCDwm5VDxWPOLWGYXPAf91t3y0ebItMPHkhu t46jThHTfLoFvDHa9eYNCHqKNwY/6V1JudSoFJ+K/8bbW2IEJvSnba1e9UxXcAG6j6jp fS8bxQiO7Y35jCBIoU67nAPiTW3BSmsodB42Jt1Ad8ebtYqP86n0hLjL77HIlQj7Kteu J2Gg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f91-v6si454264plf.498.2018.02.22.11.08.05; Thu, 22 Feb 2018 11:08:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751528AbeBVTHL (ORCPT + 99 others); Thu, 22 Feb 2018 14:07:11 -0500 Received: from shards.monkeyblade.net ([184.105.139.130]:50610 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751456AbeBVTHI (ORCPT ); Thu, 22 Feb 2018 14:07:08 -0500 Received: from localhost (67.110.78.66.ptr.us.xo.net [67.110.78.66]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 5A1CA13F034B5; Thu, 22 Feb 2018 11:07:05 -0800 (PST) Date: Thu, 22 Feb 2018 14:07:04 -0500 (EST) Message-Id: <20180222.140704.166412303524863230.davem@davemloft.net> To: keescook@google.com Cc: tgraf@suug.ch, johannes@sipsolutions.net, daniel@iogearbox.net, ast@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, danielmicay@gmail.com Subject: Re: nla_put_string() vs NLA_STRING From: David Miller In-Reply-To: References: X-Mailer: Mew version 6.7 on Emacs 25.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 22 Feb 2018 11:07:06 -0800 (PST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook Date: Tue, 20 Feb 2018 22:00:26 -0800 > So, this specific problem needs fixing (in at least two places calling > nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, ...)). While I suspect > it's only ever written an extra byte from the following variable in > the structure which is an enum nl80211_dfs_regions, I worry there > might be a lot more of these (though I'd hope unterminated strings are > uncommon for internal representation). And more generally, it seems > like only the NLA _input_ functions actually check nla_policy details. > It seems that the output functions should do the same too, yes? Generally speaking, the policy is for making sure the user doesn't give us garbage. When building netlink attributes itself, the kernel is supposed to know what it is doing.