• Dmitry Ivanov's avatar
    nl80211: check netlink protocol in socket release notification · 9e27e421
    Dmitry Ivanov authored
    commit 8f815cdd upstream.
    
    A non-privileged user can create a netlink socket with the same port_id as
    used by an existing open nl80211 netlink socket (e.g. as used by a hostapd
    process) with a different protocol number.
    
    Closing this socket will then lead to the notification going to nl80211's
    socket release notification handler, and possibly cause an action such as
    removing a virtual interface.
    
    Fix this issue by checking that the netlink protocol is NETLINK_GENERIC.
    Since generic netlink has no notifier chain of its own, we can't fix the
    problem more generically.
    
    Fixes: 026331c4 ("cfg80211/mac80211: allow registering for and sending action frames")
    Signed-off-by: default avatarDmitry Ivanov <dima@ubnt.com>
    [rewrite commit message]
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    9e27e421
nl80211.c 316 KB