• Dmitry Ivanov's avatar
    nl80211: check netlink protocol in socket release notification · 8f815cdd
    Dmitry Ivanov authored
    A non-privileged user can create a netlink socket with the same port_id as
    used by an existing open nl80211 netlink socket (e.g. as used by a hostapd
    process) with a different protocol number.
    
    Closing this socket will then lead to the notification going to nl80211's
    socket release notification handler, and possibly cause an action such as
    removing a virtual interface.
    
    Fix this issue by checking that the netlink protocol is NETLINK_GENERIC.
    Since generic netlink has no notifier chain of its own, we can't fix the
    problem more generically.
    
    Fixes: 026331c4 ("cfg80211/mac80211: allow registering for and sending action frames")
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarDmitry Ivanov <dima@ubnt.com>
    [rewrite commit message]
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    8f815cdd
nl80211.c 352 KB