Commit e438768f authored by Luis R. Rodriguez's avatar Luis R. Rodriguez Committed by Johannes Berg

cfg80211: check regulatory request alpha2 early

Currently nl80211 allows userspace to send the kernel
a bogus regulatory domain with at most 32 rules set
and it won't reject it until after its allocated
memory. Let's be smart about it and take advantage
that the last_request is now available under RTNL
and check if the alpha2 matches an expected request
and reject any bogus userspace requests prior to
hitting the memory allocator.
Signed-off-by: default avatarLuis R. Rodriguez <mcgrof@do-not-panic.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent cc493e4f
...@@ -5100,6 +5100,9 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info) ...@@ -5100,6 +5100,9 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
return -EINVAL; return -EINVAL;
} }
if (!reg_is_valid_request(alpha2))
return -EINVAL;
size_of_regd = sizeof(struct ieee80211_regdomain) + size_of_regd = sizeof(struct ieee80211_regdomain) +
num_rules * sizeof(struct ieee80211_reg_rule); num_rules * sizeof(struct ieee80211_reg_rule);
......
...@@ -450,7 +450,7 @@ static int call_crda(const char *alpha2) ...@@ -450,7 +450,7 @@ static int call_crda(const char *alpha2)
return kobject_uevent(&reg_pdev->dev.kobj, KOBJ_CHANGE); return kobject_uevent(&reg_pdev->dev.kobj, KOBJ_CHANGE);
} }
static bool reg_is_valid_request(const char *alpha2) bool reg_is_valid_request(const char *alpha2)
{ {
struct regulatory_request *lr = get_last_request(); struct regulatory_request *lr = get_last_request();
......
...@@ -18,6 +18,7 @@ ...@@ -18,6 +18,7 @@
extern const struct ieee80211_regdomain __rcu *cfg80211_regdomain; extern const struct ieee80211_regdomain __rcu *cfg80211_regdomain;
bool reg_is_valid_request(const char *alpha2);
bool is_world_regdom(const char *alpha2); bool is_world_regdom(const char *alpha2);
bool reg_supported_dfs_region(u8 dfs_region); bool reg_supported_dfs_region(u8 dfs_region);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment