Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp230282ybg; Thu, 17 Oct 2019 22:01:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqw2X0wPv76A+v4jd5TIsgJ5SQZFLaRHvm7wkGPIV7yw0ek51PmJnN/SbzW1C6oaWMOB0844 X-Received: by 2002:a17:906:f258:: with SMTP id gy24mr7056823ejb.25.1571374901102; Thu, 17 Oct 2019 22:01:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571374901; cv=none; d=google.com; s=arc-20160816; b=Q0pgu9EdvfT7kxH4qZapOakGgjC3lt3WUrfR0qGQS+160/baXQd7YcZFgqbAqvIXRq ZWVEPmNRuWd2lQuva7swhTTIgO4sSdeUE+DTIdIJBkvKeHpQc0LlFI6HP771lP1aVJj4 iU1V+P9ja/jEpc02cC4WGXCrRLMSYXSTrKCcKNAzI2D8xTkwwgRbbuemxFnrWP0IgAeF WFCKPG87EY0TRwyJal4zAeTwWMhzNDAREVsGmNBfrIo5+S19t7503wWVe5553kYzFU7l VKyOzy5Y4+TI+WPCrQPvMws6D4daYF1ytF+P6EIGPJDbBKCkWkmRl+YIagx9mjR+s22J snoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MrSuBzKq5JkEbIKXBcTjiAOdGK66qWUaZ7sfa75SiPg=; b=phAirVC0OF8wzWhF5E8TSvKJ4Xk87PtRY7vY7Hs7l/Qm5BIosl4sv9H6cqFu02z7l2 sV2cJIuHwHQlTY1eF7gqBqxX5NqqalxuZdXPmX9hw4qosNzUH6vbJGzQugJe5SwGww/G oJnJl7OAvab5ZxsmpYx0k3nF/vCPxCis/PaIA98zsPGKdDymT8h5zn9CMeB6SJb5+Mia i2eatGQQSTtSUb4Rw9mWaFVPlASSj0psodkbtCxbW+s8uCPt4502pLvUAnLjIA0a+pWl TeKJuK2NkymiJQheIqjyYoSN1wAkBVapDU7fX9PQucgR6wMQTgfniH6zuDXWJ6BsRMdS zFPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=K8pODPI8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k1si2748956eja.146.2019.10.17.22.01.17; Thu, 17 Oct 2019 22:01:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=K8pODPI8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390971AbfJPWSX (ORCPT + 99 others); Wed, 16 Oct 2019 18:18:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:44458 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2395004AbfJPVy3 (ORCPT ); Wed, 16 Oct 2019 17:54:29 -0400 Received: from localhost (unknown [192.55.54.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8F9BA20872; Wed, 16 Oct 2019 21:54:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1571262868; bh=TJgNxGNNZP0s9+UFBGKZOaBCKZnH8g1GWZxeCl/HqTM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K8pODPI8nZ74U1ctVc09nPyrw+invCv729BhAWpJ5pTaf1G6QASrVvpoF+5w2hGDa y2MELqqkdcjLPErTfM4Epvp9pc8FwJdv/4YDPahJsrE8TmyfNszHQCfTZTHoDcLTyS gtDmxmCGB3PS4TQXiHV2EwgG5JyVd/QGSpgxRSMQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 4.9 34/92] nl80211: validate beacon head Date: Wed, 16 Oct 2019 14:50:07 -0700 Message-Id: <20191016214827.202831898@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191016214759.600329427@linuxfoundation.org> References: <20191016214759.600329427@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit f88eb7c0d002a67ef31aeb7850b42ff69abc46dc upstream. We currently don't validate the beacon head, i.e. the header, fixed part and elements that are to go in front of the TIM element. This means that the variable elements there can be malformed, e.g. have a length exceeding the buffer size, but most downstream code from this assumes that this has already been checked. Add the necessary checks to the netlink policy. Cc: stable@vger.kernel.org Fixes: ed1b6cc7f80f ("cfg80211/nl80211: add beacon settings") Link: https://lore.kernel.org/r/1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/nl80211.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -213,6 +213,36 @@ cfg80211_get_dev_from_info(struct net *n return __cfg80211_rdev_from_attrs(netns, info->attrs); } +static int validate_beacon_head(const struct nlattr *attr) +{ + const u8 *data = nla_data(attr); + unsigned int len = nla_len(attr); + const struct element *elem; + const struct ieee80211_mgmt *mgmt = (void *)data; + unsigned int fixedlen = offsetof(struct ieee80211_mgmt, + u.beacon.variable); + + if (len < fixedlen) + goto err; + + if (ieee80211_hdrlen(mgmt->frame_control) != + offsetof(struct ieee80211_mgmt, u.beacon)) + goto err; + + data += fixedlen; + len -= fixedlen; + + for_each_element(elem, data, len) { + /* nothing */ + } + + if (for_each_element_completed(elem, data, len)) + return 0; + +err: + return -EINVAL; +} + /* policy for the attributes */ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { [NL80211_ATTR_WIPHY] = { .type = NLA_U32 }, @@ -3680,6 +3710,11 @@ static int nl80211_parse_beacon(struct n memset(bcn, 0, sizeof(*bcn)); if (attrs[NL80211_ATTR_BEACON_HEAD]) { + int ret = validate_beacon_head(attrs[NL80211_ATTR_BEACON_HEAD]); + + if (ret) + return ret; + bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]); bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]); if (!bcn->head_len)