lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20171201184826.GA18247@w1.fi>
Date:   Fri, 1 Dec 2017 20:48:26 +0200
From:   Jouni Malinen <j@...fi>
To:     Jouni Malinen <jkmalinen@...il.com>
Cc:     David Ahern <dsahern@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH v2 net-next] net: netlink: Update attr validation to
 require exact length for some types

Well.. This did not go well with gmail defaults and the mailing list..
Sending this with something safer and plaintext only version to get this
on the mailing list as well:

On Wed, Nov 8, 2017 at 7:59 AM, David Ahern <dsahern@...il.com> wrote:

> Attributes using NLA_U* and NLA_S* (where * is 8, 16,32 and 64) are
> expected to be an exact length. Split these data types from
> nla_attr_minlen into nla_attr_len and update validate_nla to require
> the attribute to have exact length for them.

While I understand and support this change in general, I have to note that
this resulted in some unfortunate user space regressions that came apparent
when testing Wi-Fi with Linux 4.15-rc1. When a new nl80211 attribute was
added for controlling SMPS modes in 2014 the kernel contribution added this
with NLA_U8 policy while the user space contribution to hostapd used
NLA_PUT_U32. This has apparently been unnoticed until now since the first
byte contained the appropriate value on little endian devices (no one
testing this on big endian hosts?)..

I'll obviously fix the encoding of this attribute in hostapd, but it should
be noted that Linux 4.15 will result in significant functionality issues if
the kernel is updated without a user space fix going in first.

-- 
Jouni Malinen                                            PGP id EFC895FA

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ