Skip to content

Commit f556331

Browse files
committed
wireless: radiotap: fix parsing buffer overrun
When parsing an invalid radiotap header, the parser can overrun the buffer that is passed in because it doesn't correctly check 1) the minimum radiotap header size 2) the space for extended bitmaps The first issue doesn't affect any in-kernel user as they all check the minimum size before calling the radiotap function. The second issue could potentially affect the kernel if an skb is passed in that consists only of the radiotap header with a lot of extended bitmaps that extend past the SKB. In that case a read-only buffer overrun by at most 4 bytes is possible. Fix this by adding the appropriate checks to the parser. Cc: stable@vger.kernel.org Reported-by: Evan Huus <eapache@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1 parent f38dd58 commit f556331

File tree

1 file changed

+6
-1
lines changed

1 file changed

+6
-1
lines changed

Diff for: net/wireless/radiotap.c

+6-1
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,10 @@ int ieee80211_radiotap_iterator_init(
9797
struct ieee80211_radiotap_header *radiotap_header,
9898
int max_length, const struct ieee80211_radiotap_vendor_namespaces *vns)
9999
{
100+
/* check the radiotap header can actually be present */
101+
if (max_length < sizeof(struct ieee80211_radiotap_header))
102+
return -EINVAL;
103+
100104
/* Linux only supports version 0 radiotap format */
101105
if (radiotap_header->it_version)
102106
return -EINVAL;
@@ -131,7 +135,8 @@ int ieee80211_radiotap_iterator_init(
131135
*/
132136

133137
if ((unsigned long)iterator->_arg -
134-
(unsigned long)iterator->_rtheader >
138+
(unsigned long)iterator->_rtheader +
139+
sizeof(uint32_t) >
135140
(unsigned long)iterator->_max_length)
136141
return -EINVAL;
137142
}

0 commit comments

Comments
 (0)