linux/net/wireless
Peng Xu ad670233c9 nl80211: Define policy for packet pattern attributes
Define a policy for packet pattern attributes in order to fix a
potential read over the end of the buffer during nla_get_u32()
of the NL80211_PKTPAT_OFFSET attribute.

Note that the data there can always be read due to SKB allocation
(with alignment and struct skb_shared_info at the end), but the
data might be uninitialized. This could be used to leak some data
from uninitialized vmalloc() memory, but most drivers don't allow
an offset (so you'd just get -EINVAL if the data is non-zero) or
just allow it with a fixed value - 100 or 128 bytes, so anything
above that would get -EINVAL. With brcmfmac the limit is 1500 so
(at least) one byte could be obtained.

Cc: stable@kernel.org
Signed-off-by: Peng Xu <pxu@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
[rewrite description based on SKB allocation knowledge]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-10-04 14:39:21 +02:00
..
.gitignore
ap.c cfg80211: Make pre-CAC results valid only for ETSI domain 2017-03-06 13:54:15 +01:00
chan.c cfg80211: Share Channel DFS state across wiphys of same DFS domain 2017-03-06 13:54:20 +01:00
core.c cfg80211: support 4-way handshake offloading for 802.1X 2017-06-13 10:44:09 +02:00
core.h cfg80211: add request id to cfg80211_sched_scan_*() api 2017-04-28 14:51:43 +02:00
db.txt
debugfs.c cfg80211 debugfs: Cleanup some checkpatch issues 2017-02-08 09:15:59 +01:00
debugfs.h
ethtool.c
genregdb.awk
ibss.c cfg80211: Make pre-CAC results valid only for ETSI domain 2017-03-06 13:54:15 +01:00
Kconfig cfg80211: Fix some linguistics in Kconfig 2016-02-24 09:04:23 +01:00
lib80211_crypt_ccmp.c lib80211: ratelimit key index mismatch 2015-12-04 14:43:32 +01:00
lib80211_crypt_tkip.c wireless: fix bogus maybe-uninitialized warning 2016-11-17 08:46:38 +02:00
lib80211_crypt_wep.c lib80211: Use skcipher and ahash 2016-01-27 20:36:03 +08:00
lib80211.c
Makefile For 4.11, we seem to have more than in the past few releases: 2017-01-14 12:02:15 -05:00
mesh.c wireless: Only join DFS channels in mesh mode if userspace flags support 2017-05-19 13:25:58 +02:00
mlme.c cfg80211: Use a structure to pass connect response params 2017-03-31 08:31:26 +02:00
nl80211.c nl80211: Define policy for packet pattern attributes 2017-10-04 14:39:21 +02:00
nl80211.h cfg80211: unify cfg80211_roamed() and cfg80211_roamed_bss() 2017-04-28 12:28:44 +02:00
ocb.c cfg80211: ocb: Fix null pointer deref if join_ocb is unimplemented 2015-12-04 14:43:32 +01:00
of.c cfg80211: support ieee80211-freq-limit DT property 2017-01-06 14:01:13 +01:00
radiotap.c cfg80211: add radiotap VHT info to rtap_namespace_sizes 2016-02-24 09:04:41 +01:00
rdev-ops.h cfg80211: support 4-way handshake offloading for 802.1X 2017-06-13 10:44:09 +02:00
reg.c cfg80211: honor NL80211_RRF_NO_HT40{MINUS,PLUS} 2017-09-06 12:56:31 +02:00
reg.h cfg80211: Share Channel DFS state across wiphys of same DFS domain 2017-03-06 13:54:20 +01:00
regdb.h
scan.c cfg80211: make cfg80211_sched_scan_results() work from atomic context 2017-05-23 14:36:46 +02:00
sme.c nl80211: add authorized flag to ROAM event 2017-06-13 11:04:37 +02:00
sysfs.c cfg80211: check rdev resume callback only for registered wiphy 2017-03-29 09:11:29 +02:00
sysfs.h
trace.c
trace.h cfg80211: support 4-way handshake offloading for 802.1X 2017-06-13 10:44:09 +02:00
util.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
wext-compat.c cfg80211: move add/change interface monitor flags into params 2017-04-13 13:41:38 +02:00
wext-compat.h cfg80211-wext: export symbols only when needed 2015-02-28 21:31:09 +01:00
wext-core.c dev_ioctl: copy only the smaller struct iwreq for wext 2017-06-14 13:52:44 +02:00
wext-priv.c
wext-proc.c
wext-sme.c cfg80211: wext does not need to set monitor channel in managed mode 2017-01-11 14:10:44 +01:00
wext-spy.c