cfg80211: allow connect keys only with default (TX) key

There's no point in allowing connect keys when one of them isn't also configured as the TX key, it would just confuse drivers and probably cause them to pick something for TX. Disallow this confusing and erroneous configuration. As wpa_supplicant will always send NL80211_ATTR_KEYS, even when there are no keys inside, allow that and treat it as though the attribute isn't present at all. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Johannes Berg <johannes.berg@intel.com> 2016-09-13 11:08:23 -0400
committer: Johannes Berg <johannes.berg@intel.com> 2016-09-15 10:45:41 -0400
commit: f1c1f17ac52d22227c0074b3d661d7ed692b707a (patch)
tree: 39a551700fae54fc01846f2e8f093c33eded483c
parent: 89b706fb28e431fa7639348536c284fb375eb3c0 (diff)
4 files changed, 22 insertions, 2 deletions
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index 896cbb20b6e1..eafdfa5798ae 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -114,6 +114,9 @@ static int __cfg80211_join_ibss(struct cfg80211_registered_device *rdev,
                }
        }
+        if (WARN_ON(connkeys && connkeys->def < 0))
+                return -EINVAL;
        if (WARN_ON(wdev->connect_keys))
                kzfree(wdev->connect_keys);
        wdev->connect_keys = connkeys;
@@ -289,7 +292,7 @@ int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev,
        wdev->wext.ibss.privacy = wdev->wext.default_key != -1;
-        if (wdev->wext.keys) {
+        if (wdev->wext.keys && wdev->wext.keys->def != -1) {
                ck = kmemdup(wdev->wext.keys, sizeof(*ck), GFP_KERNEL);
                if (!ck)
                        return -ENOMEM;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 71af96e8a947..f2a77c3daa59 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -848,6 +848,15 @@ nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
        struct nlattr *key;
        struct cfg80211_cached_keys *result;
        int rem, err, def = 0;
+        bool have_key = false;
+        nla_for_each_nested(key, keys, rem) {
+                have_key = true;
+                break;
+        }
+        if (!have_key)
+                return NULL;
        result = kzalloc(sizeof(*result), GFP_KERNEL);
        if (!result)
@@ -895,6 +904,11 @@ nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
                        *no_ht = true;
        }
+        if (result->def < 0) {
+                err = -EINVAL;
+                goto error;
+        }
        return result;
 error:
        kfree(result);
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index add6824c44fd..c08a3b57dca1 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -1043,6 +1043,9 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
                                connect->crypto.ciphers_pairwise[0] = cipher;
                        }
                }
+        } else {
+                if (WARN_ON(connkeys))
+                        return -EINVAL;
        }
        wdev->connect_keys = connkeys;
diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index f6523a4387cc..88f1f6931ab8 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -42,7 +42,7 @@ int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev,
        if (!wdev->wext.connect.ssid_len)
                return 0;
-        if (wdev->wext.keys) {
+        if (wdev->wext.keys && wdev->wext.keys->def != -1) {
                ck = kmemdup(wdev->wext.keys, sizeof(*ck), GFP_KERNEL);
                if (!ck)
                        return -ENOMEM;
author	Johannes Berg <johannes.berg@intel.com>	2016-09-13 11:08:23 -0400
committer	Johannes Berg <johannes.berg@intel.com>	2016-09-15 10:45:41 -0400
commit	f1c1f17ac52d22227c0074b3d661d7ed692b707a (patch)
tree	39a551700fae54fc01846f2e8f093c33eded483c
parent	89b706fb28e431fa7639348536c284fb375eb3c0 (diff)