Hi,
This annotates several structures with the coming __counted_by attribute
for bounds checking of flexible arrays at run-time. As a note toward
applicability, had this mitigation been available already, the flaw
fixed in commit 6311071a0562 ("wifi: nl80211: fix integer overflow in
nl80211_parse_mbssid_elems()") would have already been unexploitable
(i.e. writes through an out-of-bounds index would have been blocked).
Thanks!
-Kees
Kees Cook (7):
wifi: cfg80211: Annotate struct cfg80211_acl_data with __counted_by
wifi: cfg80211: Annotate struct cfg80211_cqm_config with __counted_by
wifi: cfg80211: Annotate struct cfg80211_mbssid_elems with
__counted_by
wifi: cfg80211: Annotate struct cfg80211_pmsr_request with
__counted_by
wifi: cfg80211: Annotate struct cfg80211_rnr_elems with __counted_by
wifi: cfg80211: Annotate struct cfg80211_scan_request with
__counted_by
wifi: cfg80211: Annotate struct cfg80211_tid_config with __counted_by
include/net/cfg80211.h | 12 ++++++------
net/wireless/core.h | 2 +-
net/wireless/nl80211.c | 7 +++----
net/wireless/pmsr.c | 3 +--
4 files changed, 11 insertions(+), 13 deletions(-)
--
2.34.1
