Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6380c410 authored by Johannes Berg's avatar Johannes Berg Committed by Alistair Strachan
Browse files

UPSTREAM: mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length 



[ Upstream commit ff4dd73dd2b4806419f8ff65cbce11d5019548d0 ]

Unfortunately, the nla policy was defined to have HWSIM_ATTR_RADIO_NAME
as an NLA_STRING, rather than NLA_NUL_STRING, so we can't use it as a
NUL-terminated string in the kernel.

Rather than break the API, kasprintf() the string to a new buffer to
guarantee NUL termination.

Reported-by: default avatarAndrew Zaborowski <andrew.zaborowski@intel.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 3e8c1a04d33500957fe1409ddf5cf11b52b7f6ed)
Bug: 70214720
Change-Id: Ia69ed70a7768a004fb4198732e2531091ede1aeb
Signed-off-by: default avatarAlistair Strachan <astrachan@google.com>
parent 92501a7f

drivers/net/wireless/mac80211_hwsim.c

+21 −7
Original line number Diff line number Diff line
@@ -2609,6 +2609,7 @@ static int hwsim_register_received_nl(struct sk_buff *skb_2, 
static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)

{

	struct hwsim_new_radio_params param = { 0 };

	const char *hwname = NULL;



	param.reg_strict = info->attrs[HWSIM_ATTR_REG_STRICT_REG];

	param.p2p_device = info->attrs[HWSIM_ATTR_SUPPORT_P2P_DEVICE];
@@ -2622,8 +2623,14 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info) 
	if (info->attrs[HWSIM_ATTR_NO_VIF])

		param.no_vif = true;



	if (info->attrs[HWSIM_ATTR_RADIO_NAME])

		param.hwname = nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]);

	if (info->attrs[HWSIM_ATTR_RADIO_NAME]) {

		hwname = kasprintf(GFP_KERNEL, "%.*s",

				   nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]),

				   (char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]));

		if (!hwname)

			return -ENOMEM;

		param.hwname = hwname;

	}



	if (info->attrs[HWSIM_ATTR_USE_CHANCTX])

		param.use_chanctx = true;
@@ -2651,11 +2658,15 @@ static int hwsim_del_radio_nl(struct sk_buff *msg, struct genl_info *info) 
	s64 idx = -1;

	const char *hwname = NULL;



	if (info->attrs[HWSIM_ATTR_RADIO_ID])

	if (info->attrs[HWSIM_ATTR_RADIO_ID]) {

		idx = nla_get_u32(info->attrs[HWSIM_ATTR_RADIO_ID]);

	else if (info->attrs[HWSIM_ATTR_RADIO_NAME])

		hwname = (void *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]);

	else

	} else if (info->attrs[HWSIM_ATTR_RADIO_NAME]) {

		hwname = kasprintf(GFP_KERNEL, "%.*s",

				   nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]),

				   (char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]));

		if (!hwname)

			return -ENOMEM;

	} else

		return -EINVAL;



	spin_lock_bh(&hwsim_radio_lock);
@@ -2664,7 +2675,8 @@ static int hwsim_del_radio_nl(struct sk_buff *msg, struct genl_info *info) 
			if (data->idx != idx)

				continue;

		} else {

			if (strcmp(hwname, wiphy_name(data->hw->wiphy)))

			if (!hwname ||

			    strcmp(hwname, wiphy_name(data->hw->wiphy)))

				continue;

		}
@@ -2672,10 +2684,12 @@ static int hwsim_del_radio_nl(struct sk_buff *msg, struct genl_info *info) 
		spin_unlock_bh(&hwsim_radio_lock);

		mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy),

					 info);

		kfree(hwname);

		return 0;

	}

	spin_unlock_bh(&hwsim_radio_lock);



	kfree(hwname);

	return -ENODEV;

}