forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/net/wireless
History
Johannes Berg 444ba62c39 wireless extensions: fix kernel heap content leak 
commit 42da2f948d upstream.

Wireless extensions have an unfortunate, undocumented
requirement which requires drivers to always fill
iwp->length when returning a successful status. When
a driver doesn't do this, it leads to a kernel heap
content leak when userspace offers a larger buffer
than would have been necessary.

Arguably, this is a driver bug, as it should, if it
returns 0, fill iwp->length, even if it separately
indicated that the buffer contents was not valid.

However, we can also at least avoid the memory content
leak if the driver doesn't do this by setting the iwp
length to max_tokens, which then reflects how big the
buffer is that the driver may fill, regardless of how
big the userspace buffer is.

To illustrate the point, this patch also fixes a
corresponding cfg80211 bug (since this requirement
isn't documented nor was ever pointed out by anyone
during code review, I don't trust all drivers nor
all cfg80211 handlers to implement it correctly).

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-09-20 13:17:56 -07:00
..
chan.c cfg80211: fix locking for SIWFREQ 2009-08-14 09:13:51 -04:00
core.c headers: remove sched.h from interrupt.h 2009-10-11 11:20:58 -07:00
core.h wireless: report reasonable bitrate for MCS rates through wext 2010-07-05 11:11:11 -07:00
debugfs.c cfg80211: clean up naming once and for all 2009-07-10 15:02:33 -04:00
debugfs.h cfg80211: clean up naming once and for all 2009-07-10 15:02:33 -04:00
ibss.c cfg80211: make spurious warnings less likely, configurable 2009-08-28 14:40:30 -04:00
Kconfig wireless: update cfg80211 kconfig entry 2009-09-08 16:31:06 -04:00
lib80211.c lib80211: consolidate crypt init routines 2008-11-21 11:08:17 -05:00
lib80211_crypt_ccmp.c lib80211: silence excessive crypto debugging messages 2009-03-16 18:01:58 -04:00
lib80211_crypt_tkip.c lib80211: silence excessive crypto debugging messages 2009-03-16 18:01:58 -04:00
lib80211_crypt_wep.c lib80211: absorb crypto bits from net/ieee80211 2008-11-21 11:08:17 -05:00
Makefile cfg80211: validate channel settings across interfaces 2009-08-14 09:13:42 -04:00
mlme.c cfg80211: ignore spurious deauth 2010-08-10 10:20:42 -07:00
nl80211.c wireless: report reasonable bitrate for MCS rates through wext 2010-07-05 11:11:11 -07:00
nl80211.h cfg80211: fix locking 2009-07-10 15:02:32 -04:00
radiotap.c wireless: use get/put_unaligned_* helpers 2008-05-14 16:29:32 -04:00
reg.c cfg80211: fix syntax error on user regulatory hints 2010-01-18 10:19:45 -08:00
reg.h Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-08-12 17:44:53 -07:00
scan.c cfg80211: don't get expired BSSes 2010-08-10 10:20:43 -07:00
sme.c cfg80211: fix channel setting for wext 2010-01-28 15:02:38 -08:00
sysfs.c cfg80211: rename cfg80211_registered_device's idx to wiphy_idx 2009-02-27 14:52:54 -05:00
sysfs.h
util.c wireless: report reasonable bitrate for MCS rates through wext 2010-07-05 11:11:11 -07:00
wext-compat.c wireless extensions: fix kernel heap content leak 2010-09-20 13:17:56 -07:00
wext-compat.h cfg80211: validate channel settings across interfaces 2009-08-14 09:13:42 -04:00
wext-sme.c cfg80211: don't set privacy w/o key 2009-09-28 16:55:04 -04:00
wext.c wireless extensions: fix kernel heap content leak 2010-09-20 13:17:56 -07:00