From: Luis R. Rodriguez Date: Tue, 5 Nov 2013 17:18:01 +0000 (-0800) Subject: cfg80211: check regulatory request alpha2 early X-Git-Tag: accepted/tizen/common/20141203.182822~719^2~3^2^2~267 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e438768ff9b22c83a968e14b79e8c83128e8bfe4;p=platform%2Fkernel%2Flinux-arm64.git cfg80211: check regulatory request alpha2 early Currently nl80211 allows userspace to send the kernel a bogus regulatory domain with at most 32 rules set and it won't reject it until after its allocated memory. Let's be smart about it and take advantage that the last_request is now available under RTNL and check if the alpha2 matches an expected request and reject any bogus userspace requests prior to hitting the memory allocator. Signed-off-by: Luis R. Rodriguez Signed-off-by: Johannes Berg --- diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 04fa8bb..7b73132 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -5100,6 +5100,9 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info) return -EINVAL; } + if (!reg_is_valid_request(alpha2)) + return -EINVAL; + size_of_regd = sizeof(struct ieee80211_regdomain) + num_rules * sizeof(struct ieee80211_reg_rule); diff --git a/net/wireless/reg.c b/net/wireless/reg.c index b4b1687..d8f047a 100644 --- a/net/wireless/reg.c +++ b/net/wireless/reg.c @@ -450,7 +450,7 @@ static int call_crda(const char *alpha2) return kobject_uevent(®_pdev->dev.kobj, KOBJ_CHANGE); } -static bool reg_is_valid_request(const char *alpha2) +bool reg_is_valid_request(const char *alpha2) { struct regulatory_request *lr = get_last_request(); diff --git a/net/wireless/reg.h b/net/wireless/reg.h index 9677e3c..b4076ba 100644 --- a/net/wireless/reg.h +++ b/net/wireless/reg.h @@ -18,6 +18,7 @@ extern const struct ieee80211_regdomain __rcu *cfg80211_regdomain; +bool reg_is_valid_request(const char *alpha2); bool is_world_regdom(const char *alpha2); bool reg_supported_dfs_region(u8 dfs_region);