Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2075760ybp; Thu, 10 Oct 2019 01:45:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqxKgRdl1iSgWVPeSNexx2dVy7K03xOvA60XWudJjGBhHzZCWwtvPbjjq+UTJII+YOw6UMAd X-Received: by 2002:a17:906:4895:: with SMTP id v21mr7062055ejq.2.1570697104196; Thu, 10 Oct 2019 01:45:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570697104; cv=none; d=google.com; s=arc-20160816; b=J31A5z4v2IOt4YbUl2oHT/6Zvh6AFa6F1BEcpWX8Tcn9+Va5gsSkq5fOFv4LUrij2G EhTGizW5klD6VkfUcOhPyY2rpmomtAIpD3wzzFAXza7g4O0CN2lYeanCLHVPomxWFT2N 1am4AoIp2J8Y0LelGUPkMs+36nBtIwqxtlPd8AHKWmPPZu6G6QfusIQZDI4WpmnrLS4K Npe+5lEyaA1ZOpWryPNMVwt/9QSXXfgeNSCWY/GobT9YmFZ/R3ADdlIMi9deTbzeRy1G wOW006pv5t7eWkY6iHsm9py/9LcUViISpHIc2hxGyL7WeGiapeOLonD5EetCQVXyoxok A7Dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QDooUeCPydq5RO7BMNN7QHWRyP51OM4GN7aP4ASgSkE=; b=E6ffpkfRQ5GhzBEz3ii/SPIaRUFUiV9WluuRyue6d/pLUKxWLmwFoB/1gomX8NqjXa /A3OFaO7tbiNtAuH3trXZgddmdyPwe1vYSSopghc0p+sfpu9Zlokn0KBg3bQMlg1uVVD P4I73Ygmv/0z14L8vl1lO20x/o4f2hCfwdrVVMnCo5HPJ2KiR8bC2Q+PwCarnNsskAl3 kIHVgq4KgzzLge/hJxxeQws6punwCqTBSuxt3ag5FHlNlWAO6OWrKY5DNLe0/nw0dJBv HLTvz8VwI/LvJZz9ofkfJTGebonQ/s0cvwOnzLcM8nMcXE3zyNeeVj6kQvIDVbwUC8Wt NEoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=auwbJ5d4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v27si2686230ejb.182.2019.10.10.01.44.40; Thu, 10 Oct 2019 01:45:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=auwbJ5d4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388716AbfJJInU (ORCPT + 99 others); Thu, 10 Oct 2019 04:43:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:48090 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388704AbfJJInR (ORCPT ); Thu, 10 Oct 2019 04:43:17 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0993421A4A; Thu, 10 Oct 2019 08:43:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570696996; bh=pBeAS6A7LRD8yPJsSSTWTnoFfgaLOPqFv1K1vsCt9L0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=auwbJ5d40hn4WWn0+nxtrXTItijZl60q+XZVr7k8n9kSI5YDHdivbQq7037sSm7B1 XprNStjzMPaO3J7yGfxUTw19Jah0mg2wsMafdbs/+4PDSlLrOVtL2NQ7SgkaUyMDOD uowkZQhrPuEGXplCTHo5h27PYj8aCTAlPE0UhOf0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.3 085/148] nl80211: validate beacon head Date: Thu, 10 Oct 2019 10:35:46 +0200 Message-Id: <20191010083616.514723385@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191010083609.660878383@linuxfoundation.org> References: <20191010083609.660878383@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit f88eb7c0d002a67ef31aeb7850b42ff69abc46dc upstream. We currently don't validate the beacon head, i.e. the header, fixed part and elements that are to go in front of the TIM element. This means that the variable elements there can be malformed, e.g. have a length exceeding the buffer size, but most downstream code from this assumes that this has already been checked. Add the necessary checks to the netlink policy. Cc: stable@vger.kernel.org Fixes: ed1b6cc7f80f ("cfg80211/nl80211: add beacon settings") Link: https://lore.kernel.org/r/1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/nl80211.c | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -201,6 +201,38 @@ cfg80211_get_dev_from_info(struct net *n return __cfg80211_rdev_from_attrs(netns, info->attrs); } +static int validate_beacon_head(const struct nlattr *attr, + struct netlink_ext_ack *extack) +{ + const u8 *data = nla_data(attr); + unsigned int len = nla_len(attr); + const struct element *elem; + const struct ieee80211_mgmt *mgmt = (void *)data; + unsigned int fixedlen = offsetof(struct ieee80211_mgmt, + u.beacon.variable); + + if (len < fixedlen) + goto err; + + if (ieee80211_hdrlen(mgmt->frame_control) != + offsetof(struct ieee80211_mgmt, u.beacon)) + goto err; + + data += fixedlen; + len -= fixedlen; + + for_each_element(elem, data, len) { + /* nothing */ + } + + if (for_each_element_completed(elem, data, len)) + return 0; + +err: + NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head"); + return -EINVAL; +} + static int validate_ie_attr(const struct nlattr *attr, struct netlink_ext_ack *extack) { @@ -322,8 +354,9 @@ const struct nla_policy nl80211_policy[N [NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 }, [NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 }, - [NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY, - .len = IEEE80211_MAX_DATA_LEN }, + [NL80211_ATTR_BEACON_HEAD] = + NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head, + IEEE80211_MAX_DATA_LEN), [NL80211_ATTR_BEACON_TAIL] = NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr, IEEE80211_MAX_DATA_LEN),