• Johannes Berg's avatar
    nl80211: fix NLA_POLICY_NESTED() arguments · a8b5c6d6
    Johannes Berg authored
    syzbot reported an out-of-bounds read when passing certain
    malformed messages into nl80211. The specific place where
    this happened isn't interesting, the problem is that nested
    policy parsing was referring to the wrong maximum attribute
    and thus the policy wasn't long enough.
    
    Fix this by referring to the correct attribute. Since this
    is really not necessary, I'll come up with a separate patch
    to just pass the policy instead of both, in the common case
    we can infer the maxattr from the size of the policy array.
    
    Reported-by: syzbot+4157b036c5f4713b1f2f@syzkaller.appspotmail.com
    Cc: stable@vger.kernel.org
    Fixes: 9bb7e0f2 ("cfg80211: add peer measurement with FTM initiator API")
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    a8b5c6d6
nl80211.c 434 KB