diff options
author | Jouni Malinen <jouni@qca.qualcomm.com> | 2011-09-21 09:13:07 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2011-09-21 15:58:24 -0400 |
commit | 1b9ca0272ffae212e726380f66777b30a56ed7a5 (patch) | |
tree | dd91eefd0ee5fe21ba06816a4a25cc2303603744 /net | |
parent | 65d0f19e583e80e42b1c67c166bfc4dfdf6ab693 (diff) |
cfg80211: Fix validation of AKM suites
Incorrect variable was used in validating the akm_suites array from
NL80211_ATTR_AKM_SUITES. In addition, there was no explicit
validation of the array length (we only have room for
NL80211_MAX_NR_AKM_SUITES).
This can result in a buffer write overflow for stack variables with
arbitrary data from user space. The nl80211 commands using the affected
functionality require GENL_ADMIN_PERM, so this is only exposed to admin
users.
Cc: stable@kernel.org
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/wireless/nl80211.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index e83e7fee3bc0..ea40d540a990 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c | |||
@@ -4113,9 +4113,12 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev, | |||
4113 | if (len % sizeof(u32)) | 4113 | if (len % sizeof(u32)) |
4114 | return -EINVAL; | 4114 | return -EINVAL; |
4115 | 4115 | ||
4116 | if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES) | ||
4117 | return -EINVAL; | ||
4118 | |||
4116 | memcpy(settings->akm_suites, data, len); | 4119 | memcpy(settings->akm_suites, data, len); |
4117 | 4120 | ||
4118 | for (i = 0; i < settings->n_ciphers_pairwise; i++) | 4121 | for (i = 0; i < settings->n_akm_suites; i++) |
4119 | if (!nl80211_valid_akm_suite(settings->akm_suites[i])) | 4122 | if (!nl80211_valid_akm_suite(settings->akm_suites[i])) |
4120 | return -EINVAL; | 4123 | return -EINVAL; |
4121 | } | 4124 | } |