linux/net
Johannes Berg 88f16db7a2 wext: verify buffer size for SIOCSIWENCODEEXT
Another design flaw in wireless extensions (is anybody
surprised?) in the way it handles the iw_encode_ext
structure: The structure is part of the 'extra' memory
but contains the key length explicitly, instead of it
just being the length of the extra buffer - size of
the struct and using the explicit key length only for
the get operation (which only writes it).

Therefore, we have this layout:

extra: +-------------------------+
       | struct iw_encode_ext  { |
       |     ...                 |
       |     u16 key_len;        |
       |     u8 key[0];          |
       | };                      |
       +-------------------------+
       | key material            |
       +-------------------------+

Now, all drivers I checked use ext->key_len without
checking that both key_len and the struct fit into the
extra buffer that has been copied from userspace. This
leads to a buffer overrun while reading that buffer,
depending on the driver it may be possible to specify
arbitrary key_len or it may need to be a proper length
for the key algorithm specified.

Thankfully, this is only exploitable by root, but root
can actually cause a segfault or use kernel memory as
a key (which you can even get back with siocgiwencode
or siocgiwencodeext from the key buffer).

Fix this by verifying that key_len fits into the buffer
along with struct iw_encode_ext.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:07:50 -04:00
..
9p net/9p: handle correctly interrupted 9P requests 2009-04-05 16:54:53 -05:00
802 tr: fix leakage of device in net/802/tr.c 2009-04-11 01:43:17 -07:00
8021q vlan: update vlan carrier state for admin up/down 2009-04-25 18:03:35 -07:00
appletalk proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
atm Subject: [PATCH] br2684: restore net_dev initialization 2009-05-02 13:49:36 -07:00
ax25 ax25: proc uid file misses header 2009-04-20 02:14:59 -07:00
bluetooth Bluetooth: Don't trigger disconnect timeout for security mode 3 pairing 2009-05-09 18:09:52 -07:00
bridge bridge: fix initial packet flood if !STP 2009-05-17 21:12:55 -07:00
can can: Network Drop Monitor: Make use of consume_skb() in af_can.c 2009-04-17 01:38:46 -07:00
core net: fix skb_seq_read returning wrong offset/length for page frag data 2009-05-18 21:43:27 -07:00
dcb
dccp dccp: Do not let initial option overhead shrink the MPS 2009-03-02 03:07:23 -08:00
decnet net/*: use linux/kernel.h swap() 2009-03-21 13:36:17 -07:00
dsa dsa: add switch chip cascading support 2009-03-21 19:06:54 -07:00
econet net: convert usage of packet_type to read_mostly 2009-03-10 05:22:43 -07:00
ethernet
ipv4 ipv4: make default for INET_LRO consistent with help text 2009-05-18 21:48:38 -07:00
ipv6 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6 2009-05-05 12:00:53 -07:00
ipx ipx: use constant for strings and desciptor 2009-03-21 19:06:51 -07:00
irda proc tty: switch ircomm to ->proc_fops 2009-04-01 08:59:10 -07:00
iucv af_iucv: Fix race when queuing incoming iucv messages 2009-04-21 23:43:15 -07:00
key af_key: remove some pointless conditionals before kfree_skb() 2009-02-26 23:07:32 -08:00
lapb
llc proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
mac80211 mac80211: avoid NULL ptr deref when finding max_rates in PID and minstrel 2009-05-11 15:07:01 -04:00
netfilter ipvs: Fix IPv4 FWMARK virtual services 2009-05-08 14:54:47 -07:00
netlabel netlabel: Always remove the correct address selector 2009-04-22 00:46:09 -07:00
netlink Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2009-03-26 15:23:24 -07:00
netrom net/netrom: Fix socket locking 2009-04-22 00:49:51 -07:00
packet packet: avoid warnings when high-order page allocation fails 2009-04-15 03:39:52 -07:00
phonet trivial: fix typos/grammar errors in Kconfig texts 2009-03-30 15:22:01 +02:00
rds FRV: Fix the section attribute on UP DECLARE_PER_CPU() 2009-04-21 19:39:59 -07:00
rfkill
rose Revert "rose: zero length frame filtering in af_rose.c" 2009-04-14 20:28:00 -07:00
rxrpc
sched sch_teql: should not dereference skb after ndo_start_xmit() 2009-05-18 15:12:31 -07:00
sctp proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
sunrpc Merge branch 'for-2.6.30' of git://linux-nfs.org/~bfields/linux 2009-05-12 17:11:56 -07:00
tipc tipc: fix non-const printf format arguments 2009-03-18 19:11:29 -07:00
unix New helper - current_umask() 2009-03-31 23:00:26 -04:00
wanrouter wanrouter: fix sparse warnings: context imbalance 2009-02-26 23:13:36 -08:00
wimax wimax: oops: wimax_dev_add() is the only one that can initialize the state 2009-05-06 13:48:37 -07:00
wireless wext: verify buffer size for SIOCSIWENCODEEXT 2009-05-20 14:07:50 -04:00
x25 af_rose/x25: Sanity check the maximum user frame size 2009-03-27 00:28:21 -07:00
xfrm xfrm: wrong hash value for temporary SA 2009-04-27 02:58:59 -07:00
Kconfig net: remove stale reference to fastroute from Kconfig help text 2009-05-07 16:31:01 -07:00
Makefile RDS: Kconfig and Makefile 2009-02-26 23:43:35 -08:00
TUNABLE
compat.c
nonet.c
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-04-06 18:05:43 -07:00
sysctl_net.c net: sysctl_net - use net_eq to compare nets 2009-03-16 16:23:30 +01:00