From: "Luis R. Rodriguez" <mcgrof@do-not-panic.com>
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org,
"Luis R. Rodriguez" <mcgrof@do-not-panic.com>
Subject: [PATCH 03/19] cfg80211: check regulatory request alpha2 early
Date: Tue, 5 Nov 2013 09:18:01 -0800 [thread overview]
Message-ID: <1383671897-7746-4-git-send-email-mcgrof@do-not-panic.com> (raw)
In-Reply-To: <1383671897-7746-1-git-send-email-mcgrof@do-not-panic.com>
Currently nl80211 allows userspace to send the kernel
a bogus regulatory domain with at most 32 rules set
and it won't reject it until after its allocated
memory. Let's be smart about it and take advantage
that the last_request is now available under RCU
and check if the alpha2 matches an expected request
and reject any bogus userspace requests prior to
hitting the memory allocator.
Signed-off-by: Luis R. Rodriguez <mcgrof@do-not-panic.com>
---
net/wireless/nl80211.c | 3 +++
net/wireless/reg.c | 2 +-
net/wireless/reg.h | 1 +
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index cc5d106..476d32c 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5053,6 +5053,9 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
return -EINVAL;
}
+ if (!reg_is_valid_request(alpha2))
+ return -EINVAL;
+
size_of_regd = sizeof(struct ieee80211_regdomain) +
num_rules * sizeof(struct ieee80211_reg_rule);
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 6183c90..ff595d1 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -450,7 +450,7 @@ static int call_crda(const char *alpha2)
return kobject_uevent(®_pdev->dev.kobj, KOBJ_CHANGE);
}
-static bool reg_is_valid_request(const char *alpha2)
+bool reg_is_valid_request(const char *alpha2)
{
struct regulatory_request *lr = get_last_request();
diff --git a/net/wireless/reg.h b/net/wireless/reg.h
index 9677e3c..b4076ba 100644
--- a/net/wireless/reg.h
+++ b/net/wireless/reg.h
@@ -18,6 +18,7 @@
extern const struct ieee80211_regdomain __rcu *cfg80211_regdomain;
+bool reg_is_valid_request(const char *alpha2);
bool is_world_regdom(const char *alpha2);
bool reg_supported_dfs_region(u8 dfs_region);
--
1.8.4.rc3
next prev parent reply other threads:[~2013-11-05 17:17 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-05 17:17 [PATCH 00/19] cfg80211: regulatory updates Luis R. Rodriguez
2013-11-05 17:17 ` [PATCH 01/19] cfg80211: enforce disabling channels by custom or strict settings Luis R. Rodriguez
2013-11-06 10:15 ` Johannes Berg
2013-11-06 16:54 ` Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 02/19] cfg80211: force WIPHY_FLAG_CUSTOM_REGULATORY on wiphy_apply_custom_regulatory() Luis R. Rodriguez
2013-11-05 17:18 ` Luis R. Rodriguez [this message]
2013-11-06 10:17 ` [PATCH 03/19] cfg80211: check regulatory request alpha2 early Johannes Berg
2013-11-06 16:39 ` Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 04/19] cfg80211: remove second argument from reg_process_hint() Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 05/19] cfg80211: processing core regulatory hints on its own Luis R. Rodriguez
2013-11-06 10:24 ` Johannes Berg
2013-11-06 10:26 ` Johannes Berg
2013-11-06 16:35 ` Luis R. Rodriguez
2013-11-07 0:47 ` Julian Calaby
2013-11-11 14:41 ` Johannes Berg
2013-11-05 17:18 ` [PATCH 06/19] cfg80211: process user regulatory requests " Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 07/19] cfg80211: process driver " Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 08/19] cfg80211: process country IE regulatory requests on their own Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 09/19] cfg80211: process non country IE conflicting first Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 10/19] cfg80211: add helper for kfree'ing last_request Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 11/19] cfg80211: add helper for kfree'ing and assigning last_request Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 12/19] cfg80211: add helper for calling CRDA Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 13/19] cfg80211: allow only the core to request to update the world regdom Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 14/19] cfg80211: move core reg_notfier() check to source Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 15/19] cfg80211: pass the last_request to __set_regdom() Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 16/19] cfg80211: set core regulatory updates on its own Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 17/19] cfg80211: set user " Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 18/19] cfg80211: set driver " Luis R. Rodriguez
2013-11-05 17:18 ` [PATCH 19/19] cfg80211: rename __set_regdom() to reg_set_rd_country_ie() Luis R. Rodriguez
2013-11-11 14:50 ` [PATCH 00/19] cfg80211: regulatory updates Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1383671897-7746-4-git-send-email-mcgrof@do-not-panic.com \
--to=mcgrof@do-not-panic.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).