cfg80211: limit wiphy names to 128 bytes

commit a7cfebcb7594a24609268f91299ab85ba064bf82 upstream. There's currently no limit on wiphy names, other than netlink message size and memory limitations, but that causes issues when, for example, the wiphy name is used in a uevent, e.g. in rfkill where we use the same name for the rfkill instance, and then the buffer there is "only" 2k for the environment variables. This was reported by syzkaller, which used a 4k name. Limit the name to something reasonable, I randomly picked 128. Reported-by: syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Johannes Berg <johannes.berg@intel.com> 2018-04-03 14:33:49 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-25 16:17:35 +0200
commit: 9f2c35864ad690ba95e6526a136805fd8a8cdb3b (patch)
tree: 00f564a0aa3455a08b70d18d7538d664e467986f /net/wireless
parent: 360964411d57d060d0b3f067c7a708ba9aeb5e07 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 33ce0484b2a0..45cbade9ad68 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -95,6 +95,9 @@ static int cfg80211_dev_check_name(struct cfg80211_registered_device *rdev,
 
 	ASSERT_RTNL();
 
+	if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN)
+		return -EINVAL;
+
 	/* prohibit calling the thing phy%d when %d is not its number */
 	sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken);
 	if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {
author	Johannes Berg <johannes.berg@intel.com>	2018-04-03 14:33:49 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-05-25 16:17:35 +0200
commit	9f2c35864ad690ba95e6526a136805fd8a8cdb3b (patch)
tree	00f564a0aa3455a08b70d18d7538d664e467986f /net/wireless
parent	360964411d57d060d0b3f067c7a708ba9aeb5e07 (diff)