While we do more input validation on the kernel level we have to check for overruns here as this would be to late on kernel level. An example would be setting ackreq_default to 257 which would come as 0 to the kernel netlink API due to it being u8. To avoid this we check for args over maximum and reject them here. Rest of input validation stay in kernel. Signed-off-by: Stefan Schmidt <stefan@xxxxxxxxxxxxxxx> --- src/mac.c | 21 +++++++++++++++++++++ src/phy.c | 3 +++ 2 files changed, 24 insertions(+) diff --git a/src/mac.c b/src/mac.c index 76db58f..286802c 100644 --- a/src/mac.c +++ b/src/mac.c @@ -30,6 +30,9 @@ static int handle_pan_id_set(struct nl802154_state *state, if (*end != '\0') return 1; + if (pan_id > UINT16_MAX) + return 1; + NLA_PUT_U16(msg, NL802154_ATTR_PAN_ID, htole16(pan_id)); return 0; @@ -57,6 +60,9 @@ static int handle_short_addr_set(struct nl802154_state *state, if (*end != '\0') return 1; + if (short_addr > UINT16_MAX) + return 1; + NLA_PUT_U16(msg, NL802154_ATTR_SHORT_ADDR, htole16(short_addr)); return 0; @@ -84,6 +90,9 @@ static int handle_max_frame_retries_set(struct nl802154_state *state, if (*end != '\0') return 1; + if (retries > INT8_MAX) + return 1; + NLA_PUT_S8(msg, NL802154_ATTR_MAX_FRAME_RETRIES, retries); return 0; @@ -118,6 +127,9 @@ static int handle_backoff_exponent(struct nl802154_state *state, if (*end != '\0') return 1; + if (min_be > UINT8_MAX || max_be > UINT8_MAX) + return 1; + NLA_PUT_U8(msg, NL802154_ATTR_MIN_BE, min_be); NLA_PUT_U8(msg, NL802154_ATTR_MAX_BE, max_be); @@ -147,6 +159,9 @@ static int handle_max_csma_backoffs(struct nl802154_state *state, if (*end != '\0') return 1; + if (backoffs > UINT8_MAX) + return 1; + NLA_PUT_U8(msg, NL802154_ATTR_MAX_CSMA_BACKOFFS, backoffs); return 0; @@ -176,6 +191,9 @@ static int handle_lbt_mode(struct nl802154_state *state, if (*end != '\0') return 1; + if (mode > UINT8_MAX) + return 1; + NLA_PUT_U8(msg, NL802154_ATTR_LBT_MODE, mode); return 0; @@ -203,6 +221,9 @@ static int handle_ackreq_default(struct nl802154_state *state, if (*end != '\0') return 1; + if (ackreq > UINT8_MAX) + return 1; + NLA_PUT_U8(msg, NL802154_ATTR_ACKREQ_DEFAULT, ackreq); return 0; diff --git a/src/phy.c b/src/phy.c index 8adffcc..816bdd8 100644 --- a/src/phy.c +++ b/src/phy.c @@ -36,6 +36,9 @@ static int handle_channel_set(struct nl802154_state *state, if (*end != '\0') return 1; + if (page > UINT8_MAX || channel > UINT8_MAX) + return 1; + NLA_PUT_U8(msg, NL802154_ATTR_PAGE, page); NLA_PUT_U8(msg, NL802154_ATTR_CHANNEL, channel); -- 2.4.3 -- To unsubscribe from this list: send the line "unsubscribe linux-wpan" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
