As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying:
struct probe_resp
struct fils_discovery_data
struct unsol_bcast_probe_resp_data
Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
Cc: linux-wireless@xxxxxxxxxxxxxxx
Cc: netdev@xxxxxxxxxxxxxxx
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
net/mac80211/cfg.c | 22 ++++++----------------
net/mac80211/ieee80211_i.h | 12 ++++++------
2 files changed, 12 insertions(+), 22 deletions(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index f1d211e61e49..355edbf41707 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -867,20 +867,16 @@ ieee80211_set_probe_resp(struct ieee80211_sub_if_data *sdata,
const struct ieee80211_csa_settings *csa,
const struct ieee80211_color_change_settings *cca)
{
- struct probe_resp *new, *old;
+ struct probe_resp *new = NULL, *old;
if (!resp || !resp_len)
return 1;
old = sdata_dereference(sdata->u.ap.probe_resp, sdata);
- new = kzalloc(sizeof(struct probe_resp) + resp_len, GFP_KERNEL);
- if (!new)
+ if (mem_to_flex_dup(&new, resp, resp_len, GFP_KERNEL))
return -ENOMEM;
- new->len = resp_len;
- memcpy(new->data, resp, resp_len);
-
if (csa)
memcpy(new->cntdwn_counter_offsets, csa->counter_offsets_presp,
csa->n_counter_offsets_presp *
@@ -898,7 +894,7 @@ ieee80211_set_probe_resp(struct ieee80211_sub_if_data *sdata,
static int ieee80211_set_fils_discovery(struct ieee80211_sub_if_data *sdata,
struct cfg80211_fils_discovery *params)
{
- struct fils_discovery_data *new, *old = NULL;
+ struct fils_discovery_data *new = NULL, *old = NULL;
struct ieee80211_fils_discovery *fd;
if (!params->tmpl || !params->tmpl_len)
@@ -909,11 +905,8 @@ static int ieee80211_set_fils_discovery(struct ieee80211_sub_if_data *sdata,
fd->max_interval = params->max_interval;
old = sdata_dereference(sdata->u.ap.fils_discovery, sdata);
- new = kzalloc(sizeof(*new) + params->tmpl_len, GFP_KERNEL);
- if (!new)
+ if (mem_to_flex_dup(&new, params->tmpl, params->tmpl_len, GFP_KERNEL))
return -ENOMEM;
- new->len = params->tmpl_len;
- memcpy(new->data, params->tmpl, params->tmpl_len);
rcu_assign_pointer(sdata->u.ap.fils_discovery, new);
if (old)
@@ -926,17 +919,14 @@ static int
ieee80211_set_unsol_bcast_probe_resp(struct ieee80211_sub_if_data *sdata,
struct cfg80211_unsol_bcast_probe_resp *params)
{
- struct unsol_bcast_probe_resp_data *new, *old = NULL;
+ struct unsol_bcast_probe_resp_data *new = NULL, *old = NULL;
if (!params->tmpl || !params->tmpl_len)
return -EINVAL;
old = sdata_dereference(sdata->u.ap.unsol_bcast_probe_resp, sdata);
- new = kzalloc(sizeof(*new) + params->tmpl_len, GFP_KERNEL);
- if (!new)
+ if (mem_to_flex_dup(&new, params->tmpl, params->tmpl_len, GFP_KERNEL))
return -ENOMEM;
- new->len = params->tmpl_len;
- memcpy(new->data, params->tmpl, params->tmpl_len);
rcu_assign_pointer(sdata->u.ap.unsol_bcast_probe_resp, new);
if (old)
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index d4a7ba4a8202..2e9bbfb12c0d 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -263,21 +263,21 @@ struct beacon_data {
struct probe_resp {
struct rcu_head rcu_head;
- int len;
+ DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len);
u16 cntdwn_counter_offsets[IEEE80211_MAX_CNTDWN_COUNTERS_NUM];
- u8 data[];
+ DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
};
struct fils_discovery_data {
struct rcu_head rcu_head;
- int len;
- u8 data[];
+ DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len);
+ DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
};
struct unsol_bcast_probe_resp_data {
struct rcu_head rcu_head;
- int len;
- u8 data[];
+ DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, len);
+ DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
};
struct ps_data {
--
2.32.0
