• Jouni Malinen's avatar
    mac80211: Fix key freeing to handle unlinked keys · 32162a4d
    Jouni Malinen authored
    Key locking simplification removed key->sdata != NULL verification from
    ieee80211_key_free(). While that is fine for most use cases, there is one
    path where this function can be called with an unlinked key (i.e.,
    key->sdata == NULL && key->local == NULL). This results in a NULL pointer
    dereference with the current implementation. This is known to happen at
    least with FT protocol when wpa_supplicant tries to configure the key
    before association.
    
    Avoid the issue by passing in the local pointer to
    ieee80211_key_free(). In addition, do not clear the key from hw_accel
    or debugfs if it has not yet been added. At least the hw_accel one could
    trigger another NULL pointer dereference.
    Signed-off-by: default avatarJouni Malinen <j@w1.fi>
    Reviewed-by: default avatarJohannes Berg <johannes@sipsolutions.net>
    Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    32162a4d
key.h 3.66 KB