WSL2-Linux-Kernel/net/wireless
Johannes Berg f5563318ff wireless: radiotap: fix parsing buffer overrun
When parsing an invalid radiotap header, the parser can overrun
the buffer that is passed in because it doesn't correctly check
 1) the minimum radiotap header size
 2) the space for extended bitmaps

The first issue doesn't affect any in-kernel user as they all
check the minimum size before calling the radiotap function.
The second issue could potentially affect the kernel if an skb
is passed in that consists only of the radiotap header with a
lot of extended bitmaps that extend past the SKB. In that case
a read-only buffer overrun by at most 4 bytes is possible.

Fix this by adding the appropriate checks to the parser.

Cc: stable@vger.kernel.org
Reported-by: Evan Huus <eapache@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-10-14 09:47:00 +02:00
..
.gitignore
Kconfig
Makefile
ap.c
chan.c nl80211/cfg80211: add 5 and 10 MHz defines and wiphy flag 2013-06-18 16:06:50 +02:00
core.c cfg80211: don't add p2p device while in RFKILL 2013-10-09 18:40:16 +02:00
core.h cfg80211: don't add p2p device while in RFKILL 2013-10-09 18:40:16 +02:00
db.txt
debugfs.c cfg80211: vastly simplify locking 2013-05-25 00:02:15 +02:00
debugfs.h
ethtool.c
ethtool.h
genregdb.awk
ibss.c cfg80211: fix warning when using WEXT for IBSS 2013-09-26 19:43:14 +02:00
lib80211.c
lib80211_crypt_ccmp.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
lib80211_crypt_tkip.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
lib80211_crypt_wep.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
mesh.c cfg80211/mac80211: get mandatory rates based on scan width 2013-07-16 09:58:07 +03:00
mlme.c cfg80211: add flags to cfg80211_rx_mgmt() 2013-08-23 16:06:03 +02:00
nl80211.c cfg80211: use the correct macro to check for active monitor support 2013-09-26 13:22:45 +02:00
nl80211.h cfg80211: add flags to cfg80211_rx_mgmt() 2013-08-23 16:06:03 +02:00
radiotap.c wireless: radiotap: fix parsing buffer overrun 2013-10-14 09:47:00 +02:00
rdev-ops.h cfg80211: add wdev to testmode cmd 2013-08-12 14:11:37 +02:00
reg.c regulatory: use correct regulatory initiator on wiphy register 2013-07-25 09:52:46 +02:00
reg.h
regdb.h
scan.c wireless: scan: Remove comment to compare_ether_addr 2013-09-03 22:34:48 -04:00
sme.c cfg80211: don't request disconnect if not connected 2013-08-14 14:00:19 +02:00
sysfs.c net: wireless: convert class code to use dev_groups 2013-07-25 16:34:40 -07:00
sysfs.h
trace.c
trace.h cfg80211: add wdev to testmode cmd 2013-08-12 14:11:37 +02:00
util.c cfg80211/mac80211: get mandatory rates based on scan width 2013-07-16 09:58:07 +03:00
wext-compat.c cfg80211: vastly simplify locking 2013-05-25 00:02:15 +02:00
wext-compat.h
wext-core.c
wext-priv.c
wext-proc.c
wext-sme.c cfg80211: separate internal SME implementation 2013-06-04 13:03:11 +02:00
wext-spy.c