aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2010-08-30 12:24:54 +0200
committerJohn W. Linville <linville@tuxdriver.com>2010-08-30 16:35:17 -0400
commit42da2f948d949efd0111309f5827bf0298bcc9a4 (patch)
tree9bcf654ba27e198935a00e679c91181365ee37fa /crypto
parent9ef808048564928a83f3a52c65c5725688cf5cbe (diff)
downloadkernel_samsung_smdk4412-42da2f948d949efd0111309f5827bf0298bcc9a4.tar.gz
kernel_samsung_smdk4412-42da2f948d949efd0111309f5827bf0298bcc9a4.tar.bz2
kernel_samsung_smdk4412-42da2f948d949efd0111309f5827bf0298bcc9a4.zip
wireless extensions: fix kernel heap content leak
Wireless extensions have an unfortunate, undocumented requirement which requires drivers to always fill iwp->length when returning a successful status. When a driver doesn't do this, it leads to a kernel heap content leak when userspace offers a larger buffer than would have been necessary. Arguably, this is a driver bug, as it should, if it returns 0, fill iwp->length, even if it separately indicated that the buffer contents was not valid. However, we can also at least avoid the memory content leak if the driver doesn't do this by setting the iwp length to max_tokens, which then reflects how big the buffer is that the driver may fill, regardless of how big the userspace buffer is. To illustrate the point, this patch also fixes a corresponding cfg80211 bug (since this requirement isn't documented nor was ever pointed out by anyone during code review, I don't trust all drivers nor all cfg80211 handlers to implement it correctly). Cc: stable@kernel.org [all the way back] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'crypto')
0 files changed, 0 insertions, 0 deletions