]> git.karo-electronics.de Git - karo-tx-linux.git/commitdiff
cfg80211: Fix validation of AKM suites
authorJouni Malinen <jouni@qca.qualcomm.com>
Wed, 21 Sep 2011 13:13:07 +0000 (16:13 +0300)
committerGreg Kroah-Hartman <gregkh@suse.de>
Mon, 3 Oct 2011 18:41:10 +0000 (11:41 -0700)
commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream.

Incorrect variable was used in validating the akm_suites array from
NL80211_ATTR_AKM_SUITES. In addition, there was no explicit
validation of the array length (we only have room for
NL80211_MAX_NR_AKM_SUITES).

This can result in a buffer write overflow for stack variables with
arbitrary data from user space. The nl80211 commands using the affected
functionality require GENL_ADMIN_PERM, so this is only exposed to admin
users.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
net/wireless/nl80211.c

index cea338150d0564ee0103790eb80fc6af270e861b..1ac9443b5265c11f1a22af4cac1e720688ba8d1a 100644 (file)
@@ -4044,9 +4044,12 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
                if (len % sizeof(u32))
                        return -EINVAL;
 
+               if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
+                       return -EINVAL;
+
                memcpy(settings->akm_suites, data, len);
 
-               for (i = 0; i < settings->n_ciphers_pairwise; i++)
+               for (i = 0; i < settings->n_akm_suites; i++)
                        if (!nl80211_valid_akm_suite(settings->akm_suites[i]))
                                return -EINVAL;
        }