aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2011-09-21 09:13:07 -0400
committerJohn W. Linville <linville@tuxdriver.com>2011-09-21 15:58:24 -0400
commit1b9ca0272ffae212e726380f66777b30a56ed7a5 (patch)
treedd91eefd0ee5fe21ba06816a4a25cc2303603744 /net
parent65d0f19e583e80e42b1c67c166bfc4dfdf6ab693 (diff)
cfg80211: Fix validation of AKM suites
Incorrect variable was used in validating the akm_suites array from NL80211_ATTR_AKM_SUITES. In addition, there was no explicit validation of the array length (we only have room for NL80211_MAX_NR_AKM_SUITES). This can result in a buffer write overflow for stack variables with arbitrary data from user space. The nl80211 commands using the affected functionality require GENL_ADMIN_PERM, so this is only exposed to admin users. Cc: stable@kernel.org Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r--net/wireless/nl80211.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index e83e7fee3bc0..ea40d540a990 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4113,9 +4113,12 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
4113 if (len % sizeof(u32)) 4113 if (len % sizeof(u32))
4114 return -EINVAL; 4114 return -EINVAL;
4115 4115
4116 if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
4117 return -EINVAL;
4118
4116 memcpy(settings->akm_suites, data, len); 4119 memcpy(settings->akm_suites, data, len);
4117 4120
4118 for (i = 0; i < settings->n_ciphers_pairwise; i++) 4121 for (i = 0; i < settings->n_akm_suites; i++)
4119 if (!nl80211_valid_akm_suite(settings->akm_suites[i])) 4122 if (!nl80211_valid_akm_suite(settings->akm_suites[i]))
4120 return -EINVAL; 4123 return -EINVAL;
4121 } 4124 }