diff options
author | Johannes Berg <johannes.berg@intel.com> | 2015-05-05 16:32:29 +0200 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2015-05-06 13:30:00 +0200 |
commit | e3a55b5399d55200c024fe0c2984dc7ad049da44 (patch) | |
tree | 3d01512741ad7b572f7ad25519680fe02dcce569 /net/mac80211/key.c | |
parent | a31cf1c69e89e0c2d5515b04aca313f1014a714d (diff) | |
download | lwn-e3a55b5399d55200c024fe0c2984dc7ad049da44.tar.gz lwn-e3a55b5399d55200c024fe0c2984dc7ad049da44.zip |
mac80211: validate cipher scheme PN length better
Currently, a cipher scheme can advertise an arbitrarily long
sequence counter, but mac80211 only supports up to 16 bytes
and the initial value from userspace will be truncated.
Fix two things:
* don't allow the driver to register anything longer than
the 16 bytes that mac80211 reserves space for
* require userspace to specify a starting value with the
correct length (or none at all)
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211/key.c')
-rw-r--r-- | net/mac80211/key.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/net/mac80211/key.c b/net/mac80211/key.c index 0a5d5c5ad30f..2e677376c958 100644 --- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -485,15 +485,17 @@ ieee80211_key_alloc(u32 cipher, int idx, size_t key_len, break; default: if (cs) { - size_t len = (seq_len > IEEE80211_MAX_PN_LEN) ? - IEEE80211_MAX_PN_LEN : seq_len; + if (seq_len && seq_len != cs->pn_len) { + kfree(key); + return ERR_PTR(-EINVAL); + } key->conf.iv_len = cs->hdr_len; key->conf.icv_len = cs->mic_len; for (i = 0; i < IEEE80211_NUM_TIDS + 1; i++) - for (j = 0; j < len; j++) + for (j = 0; j < seq_len; j++) key->u.gen.rx_pn[i][j] = - seq[len - j - 1]; + seq[seq_len - j - 1]; key->flags |= KEY_FLAG_CIPHER_SCHEME; } } |