From: Johannes Berg Date: Thu, 3 Nov 2011 08:27:01 +0000 (+0100) Subject: nl80211: fix HT capability attribute validation X-Git-Tag: firefly_0821_release~7541^2~2261 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=c1ce1705eb0778927a0b81a6eb29e8ff193aa3de;p=firefly-linux-kernel-4.4.55.git nl80211: fix HT capability attribute validation commit 6c7394197af90f6a332180e33f5d025d3037d883 upstream. Since the NL80211_ATTR_HT_CAPABILITY attribute is used as a struct, it needs a minimum, not maximum length. Enforce that properly. Not doing so could potentially lead to reading after the buffer. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman --- diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 1ac9443b5265..3dac76f33b94 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -126,8 +126,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = { [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED }, [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG }, - [NL80211_ATTR_HT_CAPABILITY] = { .type = NLA_BINARY, - .len = NL80211_HT_CAPABILITY_LEN }, + [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN }, [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 }, [NL80211_ATTR_IE] = { .type = NLA_BINARY,