* [PATCH] mac80211: More strictly validate .abort_scan
@ 2019-10-08 16:33 Denis Kenzior
2019-10-11 8:28 ` Johannes Berg
0 siblings, 1 reply; 2+ messages in thread
From: Denis Kenzior @ 2019-10-08 16:33 UTC (permalink / raw)
To: linux-wireless, johannes; +Cc: Denis Kenzior, stable
nl80211 requires NL80211_CMD_ABORT_SCAN to have a wdev or netdev
attribute present and checks that if netdev is provided it is UP.
However, mac80211 does not check that an ongoing scan actually belongs
to the netdev/wdev provided by the user. In other words, it is possible
for an application to cancel scans on an interface it doesn't manage.
Signed-off-by: Denis Kenzior <denkenz@gmail.com>
Cc: stable@vger.kernel.org
---
net/mac80211/cfg.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 70739e746c13..ece344f9e9ca 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2333,7 +2333,13 @@ static int ieee80211_scan(struct wiphy *wiphy,
static void ieee80211_abort_scan(struct wiphy *wiphy, struct wireless_dev *wdev)
{
- ieee80211_scan_cancel(wiphy_priv(wiphy));
+ struct ieee80211_local *local = wiphy_priv(wiphy);
+ struct ieee80211_sub_if_data *sdata =
+ IEEE80211_WDEV_TO_SUB_IF(wdev);
+ bool cancel_scan = rcu_access_pointer(local->scan_sdata) == sdata;
+
+ if (cancel_scan)
+ ieee80211_scan_cancel(local);
}
static int
--
2.21.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] mac80211: More strictly validate .abort_scan
2019-10-08 16:33 [PATCH] mac80211: More strictly validate .abort_scan Denis Kenzior
@ 2019-10-11 8:28 ` Johannes Berg
0 siblings, 0 replies; 2+ messages in thread
From: Johannes Berg @ 2019-10-11 8:28 UTC (permalink / raw)
To: Denis Kenzior, linux-wireless; +Cc: stable
On Tue, 2019-10-08 at 11:33 -0500, Denis Kenzior wrote:
> nl80211 requires NL80211_CMD_ABORT_SCAN to have a wdev or netdev
> attribute present and checks that if netdev is provided it is UP.
> However, mac80211 does not check that an ongoing scan actually belongs
> to the netdev/wdev provided by the user. In other words, it is possible
> for an application to cancel scans on an interface it doesn't manage.
I think you should do this in cfg80211.
johannes
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-10-11 8:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-08 16:33 [PATCH] mac80211: More strictly validate .abort_scan Denis Kenzior
2019-10-11 8:28 ` Johannes Berg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).