Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2061750imm; Thu, 24 May 2018 05:15:43 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpCPR50NE0zIxph75b10z9zmxxaY7iMaXDSiMcpJ5g957c3WKGSk4nZcul6avv+1djQcJPA X-Received: by 2002:a65:510c:: with SMTP id f12-v6mr5603173pgq.385.1527164143201; Thu, 24 May 2018 05:15:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527164143; cv=none; d=google.com; s=arc-20160816; b=mP8zMQl5TD1eVreCr3VZDbBrKv+wXtQzNcqzQ64+WWJ/40qcg2eOAdYnoXjZohG+6b L886c1xHmwH3hN2r4lq28F04zzlzNsfFnhBvNuAgpilF9tx6e8xyGKHabk8f1M9cx/ER kInsHCc7WJ0AwFD5ekNbsG2ENm53kHhcKTrH4NIKUvdQqmRLt81j/476sB9W/jU057Lh d1FqCojUxQttYSLhNYgnPT6qugeJY5ybFIxgZ2yPm0Bl+nVbWNw/nIqp2oDErBBfzaar ohNveIKqN+ZurC2pDk1GiHynQaxELiGwz2dhn9KmxsmlYFVlXJJOhvTw9MDkvOSyYU4D nkMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=e3qN3l5KPU6ngoRqA3GwFcUFgerv3MG/uUEM/LfUaKI=; b=N1an7OcFNxOlUxQlty+oZWQiC2bgIbg9PYVpr/RsD8pHzMWYu26UioiOrH0F5Vpu0a 2sNomEyx8xA5lDDKOiCydykTvybV2GzTdU/o64r08Xe+bbkV4vTKRayDPmieG8hzOFJq 2x4oAfZRu4hijzrOWl3DfdyDyBDK15gx4ljWOLepKf9W0MaKUXzbtVJIocn0KN34YBS0 Qxl1o6g8Gy5EAQMCSUGn4EGvSAsTkcon8v0JYGXlkVb954qUgX241Ma1wyAiB6C+5q9X nieh+6WtaW78ULwLIIYYGDQ6elHq6K45Y5BJqxyHswWLrrxMwzSgFyGOV7eldSBjE+lS 91hA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hGcCLEaa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 43-v6si20838700plc.418.2018.05.24.05.15.26; Thu, 24 May 2018 05:15:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hGcCLEaa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S969842AbeEXMOm (ORCPT + 99 others); Thu, 24 May 2018 08:14:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:54018 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966338AbeEXJmX (ORCPT ); Thu, 24 May 2018 05:42:23 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 79A2220891; Thu, 24 May 2018 09:42:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527154943; bh=klSY0Q/IwmsVndC6ZFLEcppk6oR5fW8WCDJ7hMWLT7o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hGcCLEaaWaQeYoWUXQ4/EK1m55vT81LInzH8+GCXaOXOYOvGrzH/dPWI+7GlZAPoa i4W5fZOXU1kP1vwEqUSAdVgWt9UIrDSKilJNnbaz+UMO2RCxDxj4Ht8ZvC0OGsgj7c ACOM0WjGBxT67/WhjjT9LAZfLGNRNWcAlU57Hef4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com, Johannes Berg Subject: [PATCH 3.18 43/45] cfg80211: limit wiphy names to 128 bytes Date: Thu, 24 May 2018 11:38:51 +0200 Message-Id: <20180524093126.477631162@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093120.599252450@linuxfoundation.org> References: <20180524093120.599252450@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johannes Berg commit a7cfebcb7594a24609268f91299ab85ba064bf82 upstream. There's currently no limit on wiphy names, other than netlink message size and memory limitations, but that causes issues when, for example, the wiphy name is used in a uevent, e.g. in rfkill where we use the same name for the rfkill instance, and then the buffer there is "only" 2k for the environment variables. This was reported by syzkaller, which used a 4k name. Limit the name to something reasonable, I randomly picked 128. Reported-by: syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- include/uapi/linux/nl80211.h | 2 ++ net/wireless/core.c | 3 +++ 2 files changed, 5 insertions(+) --- a/include/uapi/linux/nl80211.h +++ b/include/uapi/linux/nl80211.h @@ -2026,6 +2026,8 @@ enum nl80211_attrs { #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS +#define NL80211_WIPHY_NAME_MAXLEN 128 + #define NL80211_MAX_SUPP_RATES 32 #define NL80211_MAX_SUPP_HT_RATES 77 #define NL80211_MAX_SUPP_REG_RULES 32 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -94,6 +94,9 @@ int cfg80211_dev_rename(struct cfg80211_ ASSERT_RTNL(); + if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN) + return -EINVAL; + /* prohibit calling the thing phy%d when %d is not its number */ sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken); if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {