cfg80211: Check if NAN service ID is of expected size
nla policy checks for only maximum length of the attribute data when the
attribute type is NLA_BINARY. If userspace sends less data than
specified, cfg80211 may access illegal memory. When type is NLA_UNSPEC,
nla policy check ensures that userspace sends minimum specified length
number of bytes.
Remove type assignment to NLA_BINARY from nla_policy of
NL80211_NAN_FUNC_SERVICE_ID to make these NLA_UNSPEC and to make sure
minimum NL80211_NAN_FUNC_SERVICE_ID_LEN bytes are received from
userspace with NL80211_NAN_FUNC_SERVICE_ID.
Fixes: a442b761b2
("cfg80211: add add_nan_func / del_nan_func")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
parent
9361df14d1
commit
0a27844ce8
@ -519,7 +519,7 @@ nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
|
||||
static const struct nla_policy
|
||||
nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
|
||||
[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
|
||||
[NL80211_NAN_FUNC_SERVICE_ID] = { .type = NLA_BINARY,
|
||||
[NL80211_NAN_FUNC_SERVICE_ID] = {
|
||||
.len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
|
||||
[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
|
||||
[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
|
||||
|
Loading…
Reference in New Issue
Block a user