[PATCH] mac80211: More strictly validate .abort_scan

[PATCH] mac80211: More strictly validate .abort_scan

[Denis Kenzior]

nl80211 requires NL80211_CMD_ABORT_SCAN to have a wdev or netdev
attribute present and checks that if netdev is provided it is UP.
However, mac80211 does not check that an ongoing scan actually belongs
to the netdev/wdev provided by the user.  In other words, it is possible
for an application to cancel scans on an interface it doesn't manage.

Signed-off-by: Denis Kenzior <denkenz@gmail.com>
Cc: stable@vger.kernel.org
---
 net/mac80211/cfg.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 70739e746c13..ece344f9e9ca 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2333,7 +2333,13 @@ static int ieee80211_scan(struct wiphy *wiphy,
 
 static void ieee80211_abort_scan(struct wiphy *wiphy, struct wireless_dev *wdev)
 {
-	ieee80211_scan_cancel(wiphy_priv(wiphy));
+	struct ieee80211_local *local = wiphy_priv(wiphy);
+	struct ieee80211_sub_if_data *sdata =
+					IEEE80211_WDEV_TO_SUB_IF(wdev);
+	bool cancel_scan = rcu_access_pointer(local->scan_sdata) == sdata;
+
+	if (cancel_scan)
+		ieee80211_scan_cancel(local);
 }
 
 static int
-- 
2.21.0

Re: [PATCH] mac80211: More strictly validate .abort_scan

[Johannes Berg]

On Tue, 2019-10-08 at 11:33 -0500, Denis Kenzior wrote:
> nl80211 requires NL80211_CMD_ABORT_SCAN to have a wdev or netdev
> attribute present and checks that if netdev is provided it is UP.
> However, mac80211 does not check that an ongoing scan actually belongs
> to the netdev/wdev provided by the user.  In other words, it is possible
> for an application to cancel scans on an interface it doesn't manage.

I think you should do this in cfg80211.

johannes