Commit 252e07ca authored by Luciano Coelho's avatar Luciano Coelho Committed by Johannes Berg

nl80211: sanity check the channel switch counter value

The nl80211 channel switch count attribute
(NL80211_ATTR_CH_SWITCH_COUNT) is specified as u32, but the
specification uses u8 for the counter.  To make sure strange things
don't happen without informing the user, sanity check the value and
return -EINVAL if it doesn't fit in u8.
Signed-off-by: default avatarLuciano Coelho <luciano.coelho@intel.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent bc37b168
...@@ -5927,6 +5927,7 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info) ...@@ -5927,6 +5927,7 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
int err; int err;
bool need_new_beacon = false; bool need_new_beacon = false;
int len, i; int len, i;
u32 cs_count;
if (!rdev->ops->channel_switch || if (!rdev->ops->channel_switch ||
!(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)) !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
...@@ -5963,7 +5964,14 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info) ...@@ -5963,7 +5964,14 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES]) if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
return -EINVAL; return -EINVAL;
params.count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]); /* Even though the attribute is u32, the specification says
* u8, so let's make sure we don't overflow.
*/
cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
if (cs_count > 255)
return -EINVAL;
params.count = cs_count;
if (!need_new_beacon) if (!need_new_beacon)
goto skip_beacons; goto skip_beacons;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment