• Johannes Berg's avatar
    wireless extensions: fix kernel heap content leak · 42da2f94
    Johannes Berg authored
    Wireless extensions have an unfortunate, undocumented
    requirement which requires drivers to always fill
    iwp->length when returning a successful status. When
    a driver doesn't do this, it leads to a kernel heap
    content leak when userspace offers a larger buffer
    than would have been necessary.
    
    Arguably, this is a driver bug, as it should, if it
    returns 0, fill iwp->length, even if it separately
    indicated that the buffer contents was not valid.
    
    However, we can also at least avoid the memory content
    leak if the driver doesn't do this by setting the iwp
    length to max_tokens, which then reflects how big the
    buffer is that the driver may fill, regardless of how
    big the userspace buffer is.
    
    To illustrate the point, this patch also fixes a
    corresponding cfg80211 bug (since this requirement
    isn't documented nor was ever pointed out by anyone
    during code review, I don't trust all drivers nor
    all cfg80211 handlers to implement it correctly).
    
    Cc: stable@kernel.org [all the way back]
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    42da2f94
wext-core.c 28.9 KB