cfg80211: check regulatory request alpha2 early Currently nl80211 allows userspace to send the kernel a bogus regulatory domain with at most 32 rules set and it won't reject it until after its allocated memory. Let's be smart about it and take advantage that the last_request is now available under RTNL and check if the alpha2 matches an expected request and reject any bogus userspace requests prior to hitting the memory allocator. Signed-off-by: Luis R. Rodriguez <mcgrof@do-not-panic.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>

commit: e438768ff9b22c83a968e14b79e8c83128e8bfe4 [log] [tgz]
author: Luis R. Rodriguez <mcgrof@do-not-panic.com> Tue Nov 05 09:18:01 2013 -0800
committer: Johannes Berg <johannes.berg@intel.com> Mon Nov 25 20:51:02 2013 +0100
tree: 956366ad035f64af8965c3a737eaa74598d1e1b6
parent: cc493e4f5296f4da111f25ea4a216bb77270ccc6 [diff] [blame]
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 04fa8bb..7b73132 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c

@@ -5100,6 +5100,9 @@
 			return -EINVAL;
 	}
 
+	if (!reg_is_valid_request(alpha2))
+		return -EINVAL;
+
 	size_of_regd = sizeof(struct ieee80211_regdomain) +
 		       num_rules * sizeof(struct ieee80211_reg_rule);
commit	e438768ff9b22c83a968e14b79e8c83128e8bfe4	[log] [tgz]
author	Luis R. Rodriguez <mcgrof@do-not-panic.com>	Tue Nov 05 09:18:01 2013 -0800
committer	Johannes Berg <johannes.berg@intel.com>	Mon Nov 25 20:51:02 2013 +0100
tree	956366ad035f64af8965c3a737eaa74598d1e1b6
parent	cc493e4f5296f4da111f25ea4a216bb77270ccc6 [diff] [blame]