diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2009-05-13 12:04:30 +0200 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-05-20 14:07:50 -0400 |
commit | 88f16db7a2fa63b9242e8a0fbc40d51722f2e2f9 (patch) | |
tree | ea9ffbf2e1e595070c599486bfc5e9db394b46d5 | |
parent | 2b611cb6eed04062d0a9861c82248e02c844ba3f (diff) | |
download | kernel_samsung_smdk4412-88f16db7a2fa63b9242e8a0fbc40d51722f2e2f9.tar.gz kernel_samsung_smdk4412-88f16db7a2fa63b9242e8a0fbc40d51722f2e2f9.tar.bz2 kernel_samsung_smdk4412-88f16db7a2fa63b9242e8a0fbc40d51722f2e2f9.zip |
wext: verify buffer size for SIOCSIWENCODEEXT
Another design flaw in wireless extensions (is anybody
surprised?) in the way it handles the iw_encode_ext
structure: The structure is part of the 'extra' memory
but contains the key length explicitly, instead of it
just being the length of the extra buffer - size of
the struct and using the explicit key length only for
the get operation (which only writes it).
Therefore, we have this layout:
extra: +-------------------------+
| struct iw_encode_ext { |
| ... |
| u16 key_len; |
| u8 key[0]; |
| }; |
+-------------------------+
| key material |
+-------------------------+
Now, all drivers I checked use ext->key_len without
checking that both key_len and the struct fit into the
extra buffer that has been copied from userspace. This
leads to a buffer overrun while reading that buffer,
depending on the driver it may be possible to specify
arbitrary key_len or it may need to be a proper length
for the key algorithm specified.
Thankfully, this is only exploitable by root, but root
can actually cause a segfault or use kernel memory as
a key (which you can even get back with siocgiwencode
or siocgiwencodeext from the key buffer).
Fix this by verifying that key_len fits into the buffer
along with struct iw_encode_ext.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | net/wireless/wext.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/net/wireless/wext.c b/net/wireless/wext.c index cb6a5bb85d8..0e59f9ae9b8 100644 --- a/net/wireless/wext.c +++ b/net/wireless/wext.c @@ -786,6 +786,13 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, err = -EFAULT; goto out; } + + if (cmd == SIOCSIWENCODEEXT) { + struct iw_encode_ext *ee = (void *) extra; + + if (iwp->length < sizeof(*ee) + ee->key_len) + return -EFAULT; + } } err = handler(dev, info, (union iwreq_data *) iwp, extra); |