Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e438768f authored Nov 05, 2013 by Luis R. Rodriguez Committed by Johannes Berg Nov 25, 2013

cfg80211: check regulatory request alpha2 early



Currently nl80211 allows userspace to send the kernel
a bogus regulatory domain with at most 32 rules set
and it won't reject it until after its allocated
memory. Let's be smart about it and take advantage
that the last_request is now available under RTNL
and check if the alpha2 matches an expected request
and reject any bogus userspace requests prior to
hitting the memory allocator.

Signed-off-by: Luis R. Rodriguez <mcgrof@do-not-panic.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent cc493e4f

net/wireless/nl80211.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -5100,6 +5100,9 @@ static int nl80211_set_reg(struct sk_buff skb, struct genl_info info)
		return -EINVAL;
		}

		if (!reg_is_valid_request(alpha2))
		return -EINVAL;

		size_of_regd = sizeof(struct ieee80211_regdomain) +
		num_rules * sizeof(struct ieee80211_reg_rule);

net/wireless/reg.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -450,7 +450,7 @@ static int call_crda(const char *alpha2)
		return kobject_uevent(&reg_pdev->dev.kobj, KOBJ_CHANGE);
		}

		static bool reg_is_valid_request(const char *alpha2)
		bool reg_is_valid_request(const char *alpha2)
		{
		struct regulatory_request *lr = get_last_request();

net/wireless/reg.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -18,6 +18,7 @@

		extern const struct ieee80211_regdomain __rcu *cfg80211_regdomain;

		bool reg_is_valid_request(const char *alpha2);
		bool is_world_regdom(const char *alpha2);
		bool reg_supported_dfs_region(u8 dfs_region);