linux/net/wireless
Johannes Berg 9a6847ba17 nl80211: fix beacon head validation
If the beacon head attribute (NL80211_ATTR_BEACON_HEAD)
is too short to even contain the frame control field,
we access uninitialized data beyond the buffer. Fix this
by checking the minimal required size first. We used to
do this until S1G support was added, where the fixed
data portion has a different size.

Reported-and-tested-by: syzbot+72b99dcf4607e8c770f3@syzkaller.appspotmail.com
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Fixes: 1d47f1198d ("nl80211: correctly validate S1G beacon head")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20210408154518.d9b06d39b4ee.Iff908997b2a4067e8d456b3cb96cab9771d252b8@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2021-04-08 16:43:05 +02:00
..
certs cfg80211: ship certificates as hex files 2017-12-19 09:28:01 +01:00
.gitignore .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
Kconfig cfg80211: select CONFIG_CRC32 2021-01-05 15:50:36 -08:00
Makefile wireless: Skip directory when generating certificates 2019-05-14 10:27:57 +02:00
ap.c cfg80211: call disconnect_wk when AP stops 2019-02-01 11:12:50 +01:00
chan.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
core.c cfg80211: fix netdev registration deadlock 2021-02-01 19:30:54 +01:00
core.h cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
debugfs.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
debugfs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ethtool.c cfg80211: check wiphy driver existence for drvinfo report 2020-02-07 12:53:26 +01:00
ibss.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
lib80211.c lib80211: Remove unused macro DRV_NAME 2020-09-18 11:53:00 +02:00
lib80211_crypt_ccmp.c lib80211: use crypto API ccm(aes) transform for CCMP processing 2019-07-26 13:22:47 +02:00
lib80211_crypt_tkip.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
lib80211_crypt_wep.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
mesh.c cfg80211/mac80211: add mesh_param "mesh_nolearn" to skip path discovery 2020-07-31 09:24:23 +02:00
mlme.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
nl80211.c nl80211: fix beacon head validation 2021-04-08 16:43:05 +02:00
nl80211.h cfg80211: support immediate reconnect request hint 2020-12-11 13:20:05 +01:00
ocb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
of.c cfg80211: support ieee80211-freq-limit DT property 2017-01-06 14:01:13 +01:00
pmsr.c nl80211: link recursive netlink nested policy 2020-04-30 17:51:41 -07:00
radiotap.c wireless: radiotap: fix some kernel-doc 2020-09-28 13:53:05 +02:00
rdev-ops.h nl80211: add common API to configure SAR power limitations 2020-12-11 13:38:54 +01:00
reg.c cfg80211: initialize reg_rule in __freq_reg_info() 2021-02-12 08:56:19 +01:00
reg.h cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
scan.c cfg80211: check S1G beacon compat element length 2021-04-08 14:44:54 +02:00
sme.c cfg80211: remove WARN_ON() in cfg80211_sme_connect 2021-04-08 10:14:55 +02:00
sysfs.c cfg80211: remove unused callback 2021-02-12 08:52:25 +01:00
sysfs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace.c
trace.h nl80211: add common API to configure SAR power limitations 2020-12-11 13:38:54 +01:00
util.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
wext-compat.c wext: call cfg80211_set_encryption() with wiphy lock held 2021-01-28 19:10:57 +01:00
wext-compat.h treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
wext-core.c wext: fix NULL-ptr-dereference with cfg80211's lack of commit() 2021-01-26 11:59:42 +01:00
wext-priv.c
wext-proc.c proc: introduce proc_create_net{,_data} 2018-05-16 07:24:30 +02:00
wext-sme.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
wext-spy.c