nl80211: accept only HE capability elements with valid size

The kernel (driver code) should be able to assume that a station's
HE capabilities are not badly sized, so reject them if they are.

Link: https://lore.kernel.org/r/20220214172921.80b710d45cb7.Id57ce32f9538a40e36c620fabedbd2c73346ef56@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 56ff332..5c49d7c 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -285,6 +285,15 @@ static int validate_ie_attr(const struct nlattr *attr,
        return -EINVAL;
 }
 
+static int validate_he_capa(const struct nlattr *attr,
+                           struct netlink_ext_ack *extack)
+{
+       if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
+               return -EINVAL;
+
+       return 0;
+}
+
 /* policy for the attributes */
 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
 
@@ -730,9 +739,8 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
        [NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
        [NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
        [NL80211_ATTR_HE_CAPABILITY] =
-               NLA_POLICY_RANGE(NLA_BINARY,
-                                NL80211_HE_MIN_CAPABILITY_LEN,
-                                NL80211_HE_MAX_CAPABILITY_LEN),
+               NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
+                                      NL80211_HE_MAX_CAPABILITY_LEN),
        [NL80211_ATTR_FTM_RESPONDER] =
                NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
        [NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),