summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2011-09-21 16:13:07 +0300
committerGreg Kroah-Hartman <gregkh@suse.de>2011-11-07 12:32:10 -0800
commit3b83e963b92ac32af38b379d9bb30d84c383b40d (patch)
treec18f1256937d21d918ae76e03433973400f2e2f3 /net
parent8c1addec1bf8b23dd731580329e055a189b37564 (diff)
downloadlwn-3b83e963b92ac32af38b379d9bb30d84c383b40d.tar.gz
lwn-3b83e963b92ac32af38b379d9bb30d84c383b40d.zip
cfg80211: Fix validation of AKM suites
commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream. Incorrect variable was used in validating the akm_suites array from NL80211_ATTR_AKM_SUITES. In addition, there was no explicit validation of the array length (we only have room for NL80211_MAX_NR_AKM_SUITES). This can result in a buffer write overflow for stack variables with arbitrary data from user space. The nl80211 commands using the affected functionality require GENL_ADMIN_PERM, so this is only exposed to admin users. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net')
-rw-r--r--net/wireless/nl80211.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index f0341e4dd390..c901245e4ceb 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3364,9 +3364,12 @@ static int nl80211_crypto_settings(struct genl_info *info,
if (len % sizeof(u32))
return -EINVAL;
+ if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
+ return -EINVAL;
+
memcpy(settings->akm_suites, data, len);
- for (i = 0; i < settings->n_ciphers_pairwise; i++)
+ for (i = 0; i < settings->n_akm_suites; i++)
if (!nl80211_valid_akm_suite(settings->akm_suites[i]))
return -EINVAL;
}