cfg80211: Check if NAN service ID is of expected size

nla policy checks for only maximum length of the attribute data when the
attribute type is NLA_BINARY. If userspace sends less data than
specified, cfg80211 may access illegal memory. When type is NLA_UNSPEC,
nla policy check ensures that userspace sends minimum specified length
number of bytes.

Remove type assignment to NLA_BINARY from nla_policy of
NL80211_NAN_FUNC_SERVICE_ID to make these NLA_UNSPEC and to make sure
minimum NL80211_NAN_FUNC_SERVICE_ID_LEN bytes are received from
userspace with NL80211_NAN_FUNC_SERVICE_ID.

Fixes: a442b761b24 ("cfg80211: add add_nan_func / del_nan_func")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 53ab5cae70c8b5e77564c01f4f33e7080c706790..a2c93bfb9668d433027eb0175649075b8f1f5fae 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -519,7 +519,7 @@ nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
 static const struct nla_policy
 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
        [NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
-       [NL80211_NAN_FUNC_SERVICE_ID] = { .type = NLA_BINARY,
+       [NL80211_NAN_FUNC_SERVICE_ID] = {
                                    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
        [NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
        [NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },