git.baikalelectronics.ru Git - kernel.git/commit

author	Johannes Berg <johannes.berg@intel.com>
	Mon, 30 Aug 2010 10:24:54 +0000 (12:24 +0200)
committer	John W. Linville <linville@tuxdriver.com>
	Mon, 30 Aug 2010 20:35:17 +0000 (16:35 -0400)
commit	9f4d30569c8c6e5cd3e62dfc0a5f1dda8b1e7123
tree	9bcf654ba27e198935a00e679c91181365ee37fa	tree \| snapshot
parent	5b43dd14d2009fde158fa35a9776a11607e913aa	commit \| diff

wireless extensions: fix kernel heap content leak

Wireless extensions have an unfortunate, undocumented
requirement which requires drivers to always fill
iwp->length when returning a successful status. When
a driver doesn't do this, it leads to a kernel heap
content leak when userspace offers a larger buffer
than would have been necessary.

Arguably, this is a driver bug, as it should, if it
returns 0, fill iwp->length, even if it separately
indicated that the buffer contents was not valid.

However, we can also at least avoid the memory content
leak if the driver doesn't do this by setting the iwp
length to max_tokens, which then reflects how big the
buffer is that the driver may fill, regardless of how
big the userspace buffer is.

To illustrate the point, this patch also fixes a
corresponding cfg80211 bug (since this requirement
isn't documented nor was ever pointed out by anyone
during code review, I don't trust all drivers nor
all cfg80211 handlers to implement it correctly).

Cc: stable@kernel.org [all the way back]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

net/wireless/wext-compat.c		diff \| blob \| history
net/wireless/wext-core.c		diff \| blob \| history