diff options
author | Johannes Berg <johannes.berg@intel.com> | 2018-04-03 14:33:49 +0200 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2018-04-19 15:46:34 +0200 |
commit | a7cfebcb7594a24609268f91299ab85ba064bf82 (patch) | |
tree | 0d478a1526a6954b58dc0e9204eaa40591eaffdb /net | |
parent | 911a26484c33e10de6237228ca1d7293548e9f49 (diff) |
cfg80211: limit wiphy names to 128 bytes
There's currently no limit on wiphy names, other than netlink
message size and memory limitations, but that causes issues when,
for example, the wiphy name is used in a uevent, e.g. in rfkill
where we use the same name for the rfkill instance, and then the
buffer there is "only" 2k for the environment variables.
This was reported by syzkaller, which used a 4k name.
Limit the name to something reasonable, I randomly picked 128.
Reported-by: syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/wireless/core.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/wireless/core.c b/net/wireless/core.c index a6f3cac8c640..c0fd8a85e7f7 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -95,6 +95,9 @@ static int cfg80211_dev_check_name(struct cfg80211_registered_device *rdev, ASSERT_RTNL(); + if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN) + return -EINVAL; + /* prohibit calling the thing phy%d when %d is not its number */ sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken); if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) { |