Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2075760ybp;
        Thu, 10 Oct 2019 01:45:04 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxKgRdl1iSgWVPeSNexx2dVy7K03xOvA60XWudJjGBhHzZCWwtvPbjjq+UTJII+YOw6UMAd
X-Received: by 2002:a17:906:4895:: with SMTP id v21mr7062055ejq.2.1570697104196;
        Thu, 10 Oct 2019 01:45:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570697104; cv=none;
        d=google.com; s=arc-20160816;
        b=J31A5z4v2IOt4YbUl2oHT/6Zvh6AFa6F1BEcpWX8Tcn9+Va5gsSkq5fOFv4LUrij2G
         EhTGizW5klD6VkfUcOhPyY2rpmomtAIpD3wzzFAXza7g4O0CN2lYeanCLHVPomxWFT2N
         1am4AoIp2J8Y0LelGUPkMs+36nBtIwqxtlPd8AHKWmPPZu6G6QfusIQZDI4WpmnrLS4K
         Npe+5lEyaA1ZOpWryPNMVwt/9QSXXfgeNSCWY/GobT9YmFZ/R3ADdlIMi9deTbzeRy1G
         wOW006pv5t7eWkY6iHsm9py/9LcUViISpHIc2hxGyL7WeGiapeOLonD5EetCQVXyoxok
         A7Dg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=QDooUeCPydq5RO7BMNN7QHWRyP51OM4GN7aP4ASgSkE=;
        b=E6ffpkfRQ5GhzBEz3ii/SPIaRUFUiV9WluuRyue6d/pLUKxWLmwFoB/1gomX8NqjXa
         /A3OFaO7tbiNtAuH3trXZgddmdyPwe1vYSSopghc0p+sfpu9Zlokn0KBg3bQMlg1uVVD
         P4I73Ygmv/0z14L8vl1lO20x/o4f2hCfwdrVVMnCo5HPJ2KiR8bC2Q+PwCarnNsskAl3
         kIHVgq4KgzzLge/hJxxeQws6punwCqTBSuxt3ag5FHlNlWAO6OWrKY5DNLe0/nw0dJBv
         HLTvz8VwI/LvJZz9ofkfJTGebonQ/s0cvwOnzLcM8nMcXE3zyNeeVj6kQvIDVbwUC8Wt
         NEoQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=auwbJ5d4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v27si2686230ejb.182.2019.10.10.01.44.40;
        Thu, 10 Oct 2019 01:45:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=auwbJ5d4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388716AbfJJInU (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Thu, 10 Oct 2019 04:43:20 -0400
Received: from mail.kernel.org ([198.145.29.99]:48090 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388704AbfJJInR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 Oct 2019 04:43:17 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 0993421A4A;
        Thu, 10 Oct 2019 08:43:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1570696996;
        bh=pBeAS6A7LRD8yPJsSSTWTnoFfgaLOPqFv1K1vsCt9L0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=auwbJ5d40hn4WWn0+nxtrXTItijZl60q+XZVr7k8n9kSI5YDHdivbQq7037sSm7B1
         XprNStjzMPaO3J7yGfxUTw19Jah0mg2wsMafdbs/+4PDSlLrOVtL2NQ7SgkaUyMDOD
         uowkZQhrPuEGXplCTHo5h27PYj8aCTAlPE0UhOf0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.3 085/148] nl80211: validate beacon head
Date:   Thu, 10 Oct 2019 10:35:46 +0200
Message-Id: <20191010083616.514723385@linuxfoundation.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20191010083609.660878383@linuxfoundation.org>
References: <20191010083609.660878383@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Johannes Berg <johannes.berg@intel.com>

commit f88eb7c0d002a67ef31aeb7850b42ff69abc46dc upstream.

We currently don't validate the beacon head, i.e. the header,
fixed part and elements that are to go in front of the TIM
element. This means that the variable elements there can be
malformed, e.g. have a length exceeding the buffer size, but
most downstream code from this assumes that this has already
been checked.

Add the necessary checks to the netlink policy.

Cc: stable@vger.kernel.org
Fixes: ed1b6cc7f80f ("cfg80211/nl80211: add beacon settings")
Link: https://lore.kernel.org/r/1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/nl80211.c |   37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -201,6 +201,38 @@ cfg80211_get_dev_from_info(struct net *n
 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
 }
 
+static int validate_beacon_head(const struct nlattr *attr,
+				struct netlink_ext_ack *extack)
+{
+	const u8 *data = nla_data(attr);
+	unsigned int len = nla_len(attr);
+	const struct element *elem;
+	const struct ieee80211_mgmt *mgmt = (void *)data;
+	unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
+					 u.beacon.variable);
+
+	if (len < fixedlen)
+		goto err;
+
+	if (ieee80211_hdrlen(mgmt->frame_control) !=
+	    offsetof(struct ieee80211_mgmt, u.beacon))
+		goto err;
+
+	data += fixedlen;
+	len -= fixedlen;
+
+	for_each_element(elem, data, len) {
+		/* nothing */
+	}
+
+	if (for_each_element_completed(elem, data, len))
+		return 0;
+
+err:
+	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
+	return -EINVAL;
+}
+
 static int validate_ie_attr(const struct nlattr *attr,
 			    struct netlink_ext_ack *extack)
 {
@@ -322,8 +354,9 @@ const struct nla_policy nl80211_policy[N
 
 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
-	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
-				       .len = IEEE80211_MAX_DATA_LEN },
+	[NL80211_ATTR_BEACON_HEAD] =
+		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
+				       IEEE80211_MAX_DATA_LEN),
 	[NL80211_ATTR_BEACON_TAIL] =
 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
 				       IEEE80211_MAX_DATA_LEN),