From patchwork Mon May 17 08:05:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wojciech Jowsa X-Patchwork-Id: 1479300 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=aNvVaS33; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=VtQREkYT; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FkBst06j6z9sRf for ; Mon, 17 May 2021 18:21:05 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=TY+LvOqUosintldz07ieYvdeXkcYYxJAt3W/H1IozBE=; b=aNvVaS33Anx+icdZFdYMpuznTd 6snla4/OkcK9qu0/pM2xarefKzuerqZbW+boK1V3rJv3VEPGCFz2AwFekHK6F3npZQVh38gzzVbbm 7Dq+pQ5pM6qM2zj9cY1cCsLBBdwlgKVqHR23zPFQrSXuCADImTykgkHOBfAxNMxlQLyjv+jXOGteX IVnjGSrzUHQgEZmkQP1ELD/BNFw0Nz6+scuaI2QnVPyrfKZOVWKLGauAhKq3ZveZbDzQ5zhDYE72x CnIy/poTS/npWaQZcG+ww3fjZEcAaTwldvkBn+shlcP2MWF53fud+1Jumr4zuus2XyA97yh6q+zGX OPT7LINQ==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1liYSb-00ECWX-H7; Mon, 17 May 2021 08:18:45 +0000 Received: from mail-lf1-x12b.google.com ([2a00:1450:4864:20::12b]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1liYFs-00EA25-7I for openwrt-devel@lists.openwrt.org; Mon, 17 May 2021 08:05:44 +0000 Received: by mail-lf1-x12b.google.com with SMTP id j6so4769978lfr.11 for ; Mon, 17 May 2021 01:05:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Nr2PRQJDa1JavJBfauWxd0dWGVsFpBEqXVKjB5X0jq0=; b=VtQREkYToIoKNjnCfSZZV2AQNwaLYBTkHXOQH4NjuPEHfgHcSR6lHcREtMmbIp4CP3 RLrlkrnDjHa5v2uuVtNpxlH4IquP8b8VtnwhN7e2iqfkQPxqweS7+S/Kpt8AVwISnQPl xe7MCBrPNedmZjtqnjK/0LvucpX03AuY9kG0C9zAbF4iMIgkt0KQnElw8rmzVPbRlYxs UGMZ2NB+sGg0WItDZN9sFv7ZIjp5Fu1eiOebK8YXyOmowPE63hkxEdChJSQ4SLKiDLXg ZQqajl6x0pA+NLECHb7Ohsz1+B2HPOiZLPQUQ2uxfKWUJMZ3a9ajOEWmopiOW+2xUiTI Yhdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Nr2PRQJDa1JavJBfauWxd0dWGVsFpBEqXVKjB5X0jq0=; b=hWwqDgae6p/gAQT6P++gz/zh3CNiQ6mbHm3IYCySo1ZND42JHQZoHeXyXgSq/sgHJy wwZ4jE7xT6vUHair0ukINK2/g7LC8K6fWnd3RJ9KjajaDC+GjvtxcyTItM6Wmt9uXGSU cgSTjcwT/w60bLpLox4tS28PMZVgkKLiBHC5RMt4uLH+KUpl6Aci3WsX9hB+Caye337o bShiC/0aIziohppKzzK5t9lqiSG6SbJMyhcWaOkx62Y1F+5458OXfZiRIxoe1rz4S0Ln xDUxFDrYNHFEU2tUozzTmLptTcGFzKjCRX5wS2gl/4+s2kCtYz1og75i4tsgY5JuA/CK RlbQ== X-Gm-Message-State: AOAM530P4psKTBUH6hlukTZPh+5g/8GtB9INMSeYUWdAw+f11lVp5jEz Vrdnizo22jVAFwDruajFXjNYvkoBtgTmmQ== X-Google-Smtp-Source: ABdhPJwci6dCB+LqjxtcfIcDjX3xbtHoIXnOrm+pSmUxlLKwp7Om8V66MKRDHqdOqkyoZMed4AHIUw== X-Received: by 2002:ac2:560b:: with SMTP id v11mr9209383lfd.315.1621238732586; Mon, 17 May 2021 01:05:32 -0700 (PDT) Received: from wjow-XPS-15-9570.lan (host-188-122-2-56.finemedia.pl. [188.122.2.56]) by smtp.gmail.com with ESMTPSA id u21sm1891996lfc.68.2021.05.17.01.05.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 May 2021 01:05:32 -0700 (PDT) From: Wojciech Jowsa To: openwrt-devel@lists.openwrt.org Cc: Wojciech Jowsa Subject: [PATCH] iwinfo: add guard for scan buffer overflow Date: Mon, 17 May 2021 10:05:18 +0200 Message-Id: <20210517080518.26077-1-wojciech.jowsa@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210517_090537_719293_FD12BF96 X-CRM114-Status: GOOD ( 15.25 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: It might happen that driver returns a huge scan results e.g. when there are many access points available in the area where scanning is performed. Currently, all scan results are copied to the buffer, [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:12b listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [wojciech.jowsa[at]gmail.com] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org It might happen that driver returns a huge scan results e.g. when there are many access points available in the area where scanning is performed. Currently, all scan results are copied to the buffer, no matter the buffer size. This adds a guard to prevent buffer overflow i.e. scan buffer can be filled only to its maximum length. Buffer length can be passed trough the len argument of the scanlist method. Signed-off-by: Wojciech Jowsa --- iwinfo_nl80211.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/iwinfo_nl80211.c b/iwinfo_nl80211.c index eea521e..b7cf677 100644 --- a/iwinfo_nl80211.c +++ b/iwinfo_nl80211.c @@ -2357,6 +2357,7 @@ static void nl80211_get_scancrypto(char *spec, struct iwinfo_crypto_entry *c) struct nl80211_scanlist { struct iwinfo_scanlist_entry *e; int len; + int maxlen; }; @@ -2435,6 +2436,10 @@ static int nl80211_get_scanlist_cb(struct nl_msg *msg, void *arg) [NL80211_BSS_BEACON_IES] = { 0 }, }; + if(sl->maxlen && (sl->len + 1) > sl->maxlen) { + return NL_STOP; + } + if (!tb[NL80211_ATTR_BSS] || nla_parse_nested(bss, NL80211_BSS_MAX, tb[NL80211_ATTR_BSS], bss_policy) || @@ -2496,9 +2501,9 @@ static int nl80211_get_scanlist_cb(struct nl_msg *msg, void *arg) return NL_SKIP; } -static int nl80211_get_scanlist_nl(const char *ifname, char *buf, int *len) +static int nl80211_get_scanlist_nl(const char *ifname, char *buf, int *len, int maxlen) { - struct nl80211_scanlist sl = { .e = (struct iwinfo_scanlist_entry *)buf }; + struct nl80211_scanlist sl = { .e = (struct iwinfo_scanlist_entry *)buf, .maxlen = maxlen }; if (nl80211_request(ifname, NL80211_CMD_TRIGGER_SCAN, 0, NULL, NULL)) goto out; @@ -2732,9 +2737,7 @@ static int nl80211_get_scanlist_wpactl(const char *ifname, char *buf, int *len) static int nl80211_get_scanlist(const char *ifname, char *buf, int *len) { char *res; - int rv, mode; - - *len = 0; + int rv, mode, maxlen = *len / sizeof(struct iwinfo_scanlist_entry); /* Got a radioX pseudo interface, find some interface on it or create one */ if (!strncmp(ifname, "radio", 5)) @@ -2754,6 +2757,8 @@ static int nl80211_get_scanlist(const char *ifname, char *buf, int *len) } } + *len = 0; + /* WPA supplicant */ if (!nl80211_get_scanlist_wpactl(ifname, buf, len)) { @@ -2768,7 +2773,7 @@ static int nl80211_get_scanlist(const char *ifname, char *buf, int *len) mode == IWINFO_OPMODE_MONITOR) && iwinfo_ifup(ifname)) { - return nl80211_get_scanlist_nl(ifname, buf, len); + return nl80211_get_scanlist_nl(ifname, buf, len, maxlen); } /* AP scan */ @@ -2780,7 +2785,7 @@ static int nl80211_get_scanlist(const char *ifname, char *buf, int *len) if (!iwinfo_ifup(ifname)) return -1; - rv = nl80211_get_scanlist_nl(ifname, buf, len); + rv = nl80211_get_scanlist_nl(ifname, buf, len, maxlen); iwinfo_ifdown(ifname); return rv; } @@ -2797,7 +2802,7 @@ static int nl80211_get_scanlist(const char *ifname, char *buf, int *len) * additional interface and there's no need to tear down the ap */ if (iwinfo_ifup(res)) { - rv = nl80211_get_scanlist_nl(res, buf, len); + rv = nl80211_get_scanlist_nl(res, buf, len, maxlen); iwinfo_ifdown(res); } @@ -2805,7 +2810,7 @@ static int nl80211_get_scanlist(const char *ifname, char *buf, int *len) * during scan */ else if (iwinfo_ifdown(ifname) && iwinfo_ifup(res)) { - rv = nl80211_get_scanlist_nl(res, buf, len); + rv = nl80211_get_scanlist_nl(res, buf, len, maxlen); iwinfo_ifdown(res); iwinfo_ifup(ifname); nl80211_hostapd_hup(ifname);