Peng Xu 6a6c61d846 nl80211: Define policy for packet pattern attributes ... commit ad670233c9e1d5feb365d870e30083ef1b889177 upstream. Define a policy for packet pattern attributes in order to fix a potential read over the end of the buffer during nla_get_u32() of the NL80211_PKTPAT_OFFSET attribute. Note that the data there can always be read due to SKB allocation (with alignment and struct skb_shared_info at the end), but the data might be uninitialized. This could be used to leak some data from uninitialized vmalloc() memory, but most drivers don't allow an offset (so you'd just get -EINVAL if the data is non-zero) or just allow it with a fixed value - 100 or 128 bytes, so anything above that would get -EINVAL. With brcmfmac the limit is 1500 so (at least) one byte could be obtained. Cc: stable@kernel.org Signed-off-by: Peng Xu <pxu@qti.qualcomm.com> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> [rewrite description based on SKB allocation knowledge] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2017-10-18 09:20:41 +02:00
..
6lowpan	6lowpan: put mcast compression in an own function	2015-10-21 00:49:25 +02:00
9p	p9_client_readdir() fix	2017-05-02 21:19:55 -07:00
802
8021q	vlan: Propagate MAC address to VLANs	2017-08-06 19:19:43 -07:00
appletalk
atm	atm: deal with setting entry before mkip was called	2015-09-17 22:13:32 -07:00
ax25	ax25: Fix segfault after sock connection timeout	2017-02-04 09:45:09 +01:00
batman-adv	batman-adv: Check for alloc errors when preparing TT local data	2016-12-15 08:49:23 -08:00
bluetooth	Bluetooth: Properly check L2CAP config option output buffer length	2017-09-13 14:09:46 -07:00
bridge	bridge: netlink: register netdevice before executing changelink	2017-10-08 10:14:19 +02:00
caif	net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx	2017-07-05 14:37:14 +02:00
can	can: Fix kernel panic at security_sock_rcv_skb	2017-02-18 16:39:26 +01:00
ceph	libceph: force GFP_NOIO for socket allocations	2017-04-08 09:53:30 +02:00
core	net: core: Prevent from dereferencing null pointer when releasing SKB	2017-10-08 10:14:18 +02:00
dcb	net/dcb: make dcbnl.c explicitly non-modular	2015-10-09 07:52:27 -07:00
dccp	dccp: defer ccid_hc_tx_delete() at dismantle time	2017-08-30 10:19:18 +02:00
decnet	decnet: always not take dst->__refcnt when inserting dst into hash table	2017-07-05 14:37:14 +02:00
dns_resolver	net: dns_resolver: convert time_t to time64_t	2015-11-18 16:27:46 -05:00
dsa	net: dsa: Check return value of phy_connect_direct()	2017-07-05 14:37:19 +02:00
ethernet	net: introduce device min_header_len	2017-02-18 16:39:27 +01:00
hsr	net/hsr: fix a warning message	2015-11-23 14:56:15 -05:00
ieee802154	Revert "net: fix percpu memory leaks"	2017-09-27 11:00:11 +02:00
ipv4	netfilter: invoke synchronize_rcu after set the _hook_ to NULL	2017-10-08 10:14:19 +02:00
ipv6	ipv6: fix typo in fib6_net_exit()	2017-09-27 11:00:12 +02:00
ipx	ipx: call ipxitf_put() in ioctl error path	2017-05-25 14:30:13 +02:00
irda	irda: do not leak initialized list.dev to userspace	2017-08-30 10:19:21 +02:00
iucv	af_iucv: Validate socket address length in iucv_sock_bind()	2016-03-03 15:07:03 -08:00
key	af_key: do not use GFP_KERNEL in atomic contexts	2017-08-30 10:19:18 +02:00
l2tp	l2tp: fix PPP pseudo-wire auto-loading	2017-05-02 21:19:52 -07:00
l3mdev	net: Add netif_is_l3_slave	2015-10-07 04:27:43 -07:00
lapb
llc	net/llc: avoid BUG_ON() in skb_orphan()	2017-02-26 11:07:49 +01:00
mac80211	mac80211: flush hw_roc_start work before cancelling the ROC	2017-10-05 09:41:44 +02:00
mac802154	mac802154: llsec: use kzfree	2015-10-21 00:49:24 +02:00
mpls	mpls: Send route delete notifications when router module is unloaded	2017-03-22 12:04:16 +01:00
netfilter	netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max	2017-10-08 10:14:19 +02:00
netlabel	netlabel: add address family checks to netlbl_{sock,req}_delattr()	2016-08-20 18:09:22 +02:00
netlink	netlink: Allow direct reclaim for fallback allocation	2017-05-08 07:46:02 +02:00
netrom
nfc	NFC: Add sockaddr length checks before accessing sa_family in bind handlers	2017-07-27 15:06:03 -07:00
openvswitch	openvswitch: fix potential out of bound access in parse_ct	2017-08-11 09:08:53 -07:00
packet	net/packet: check length in getsockopt() called with PACKET_HDRLEN	2017-10-08 10:14:18 +02:00
phonet	phonet: properly unshare skbs in phonet_rcv()	2016-01-31 11:29:00 -08:00
rds	rds: ib: add error handle	2017-10-08 10:14:19 +02:00
rfkill	rfkill: fix rfkill_fop_read wait_event usage	2016-03-03 15:07:26 -08:00
rose
rxrpc	rxrpc: Fix several cases where a padded len isn't checked in ticket decode	2017-06-29 12:48:52 +02:00
sched	net: sched: fix NULL pointer dereference when action calls some targets	2017-08-30 10:19:21 +02:00
sctp	sctp: fully initialize the IPv6 address in sctp_v6_to_addr()	2017-08-30 10:19:19 +02:00
sunrpc	SUNRPC: fix refcounting problems with auth_gss messages.	2017-04-21 09:30:08 +02:00
switchdev	switchdev: pass pointer to fib_info instead of copy	2016-06-24 10:18:16 -07:00
tipc	tipc: fix use-after-free	2017-08-30 10:19:20 +02:00
unix	af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers	2017-07-05 14:37:13 +02:00
vmw_vsock	VSOCK: Detach QP check should filter out non matching QPs.	2017-04-27 09:09:32 +02:00
wimax	net:wimax: Fix doucble word "the the" in networking.xml	2015-08-09 22:43:52 -07:00
wireless	nl80211: Define policy for packet pattern attributes	2017-10-18 09:20:41 +02:00
x25	net: fix a kernel infoleak in x25 module	2016-05-18 17:06:43 -07:00
xfrm	xfrm: policy: check policy direction value	2017-09-07 08:34:09 +02:00
compat.c	audit: log 32-bit socketcalls	2017-10-08 10:14:18 +02:00
Kconfig	net: Introduce L3 Master device abstraction	2015-09-29 20:40:32 -07:00
Makefile	net: Introduce L3 Master device abstraction	2015-09-29 20:40:32 -07:00
socket.c	net: socket: fix recvmmsg not returning error from sock_error	2017-02-26 11:07:50 +01:00
sysctl_net.c	net: Use ns_capable_noaudit() when determining net sysctl permissions	2016-09-15 08:27:50 +02:00