summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2019-01-25 09:26:32 +0100
committerJohannes Berg <johannes.berg@intel.com>2019-01-25 09:26:32 +0100
commita8b5c6d69261889e022e9d64ac7ee8741db730bf (patch)
tree99a328c935c103028123f5b36d00dce999f19a05 /net
parentf9d672f1c2ca36b788511bbd773d650c744e109a (diff)
downloadlwn-a8b5c6d69261889e022e9d64ac7ee8741db730bf.tar.gz
lwn-a8b5c6d69261889e022e9d64ac7ee8741db730bf.zip
nl80211: fix NLA_POLICY_NESTED() arguments
syzbot reported an out-of-bounds read when passing certain malformed messages into nl80211. The specific place where this happened isn't interesting, the problem is that nested policy parsing was referring to the wrong maximum attribute and thus the policy wasn't long enough. Fix this by referring to the correct attribute. Since this is really not necessary, I'll come up with a separate patch to just pass the policy instead of both, in the common case we can infer the maxattr from the size of the policy array. Reported-by: syzbot+4157b036c5f4713b1f2f@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net')
-rw-r--r--net/wireless/nl80211.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 5e49492d5911..74150ad95823 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -555,7 +555,7 @@ const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
},
[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
[NL80211_ATTR_PEER_MEASUREMENTS] =
- NLA_POLICY_NESTED(NL80211_PMSR_FTM_REQ_ATTR_MAX,
+ NLA_POLICY_NESTED(NL80211_PMSR_ATTR_MAX,
nl80211_pmsr_attr_policy),
};