aha/net/wireless
Johannes Berg 88f16db7a2 wext: verify buffer size for SIOCSIWENCODEEXT
Another design flaw in wireless extensions (is anybody
surprised?) in the way it handles the iw_encode_ext
structure: The structure is part of the 'extra' memory
but contains the key length explicitly, instead of it
just being the length of the extra buffer - size of
the struct and using the explicit key length only for
the get operation (which only writes it).

Therefore, we have this layout:

extra: +-------------------------+
       | struct iw_encode_ext  { |
       |     ...                 |
       |     u16 key_len;        |
       |     u8 key[0];          |
       | };                      |
       +-------------------------+
       | key material            |
       +-------------------------+

Now, all drivers I checked use ext->key_len without
checking that both key_len and the struct fit into the
extra buffer that has been copied from userspace. This
leads to a buffer overrun while reading that buffer,
depending on the driver it may be possible to specify
arbitrary key_len or it may need to be a proper length
for the key algorithm specified.

Thankfully, this is only exploitable by root, but root
can actually cause a segfault or use kernel memory as
a key (which you can even get back with siocgiwencode
or siocgiwencodeext from the key buffer).

Fix this by verifying that key_len fits into the buffer
along with struct iw_encode_ext.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:07:50 -04:00
..
core.c cfg80211: fix locking in nl80211_set_wiphy 2009-03-27 20:13:20 -04:00
core.h cfg80211: do not replace BSS structs 2009-04-17 15:27:13 -04:00
Kconfig cfg80211: default CONFIG_WIRELESS_OLD_REGULATORY to n 2009-03-27 20:13:23 -04:00
lib80211.c lib80211: consolidate crypt init routines 2008-11-21 11:08:17 -05:00
lib80211_crypt_ccmp.c lib80211: silence excessive crypto debugging messages 2009-03-16 18:01:58 -04:00
lib80211_crypt_tkip.c lib80211: silence excessive crypto debugging messages 2009-03-16 18:01:58 -04:00
lib80211_crypt_wep.c lib80211: absorb crypto bits from net/ieee80211 2008-11-21 11:08:17 -05:00
Makefile nl80211: Event notifications for MLME events 2009-03-27 20:13:02 -04:00
mlme.c nl80211: Event notifications for MLME events 2009-03-27 20:13:02 -04:00
nl80211.c nl80211: Make nl80211_send_mlme_event() atomic 2009-04-20 16:36:26 -04:00
nl80211.h nl80211: Event notifications for MLME events 2009-03-27 20:13:02 -04:00
radiotap.c wireless: use get/put_unaligned_* helpers 2008-05-14 16:29:32 -04:00
reg.c cfg80211: fix comment on regulatory hint processing 2009-05-04 16:22:14 -04:00
reg.h cfg80211: make __regulatory_hint() static 2009-02-27 14:52:59 -05:00
scan.c cfg80211: fix truncated IEs 2009-05-04 16:22:10 -04:00
sysfs.c cfg80211: rename cfg80211_registered_device's idx to wiphy_idx 2009-02-27 14:52:54 -05:00
sysfs.h
util.c wireless: restrict to 32 legacy rates 2009-01-29 16:01:09 -05:00
wext-compat.c cfg80211: accept no-op interface mode changes 2009-03-27 20:13:08 -04:00
wext.c wext: verify buffer size for SIOCSIWENCODEEXT 2009-05-20 14:07:50 -04:00