Skip to content

L
linux
Commit 3b83e963 authored by Jouni Malinen's avatar Jouni Malinen Committed by Greg Kroah-Hartman
Browse files
Options

cfg80211: Fix validation of AKM suites 

commit 1b9ca027 upstream.

Incorrect variable was used in validating the akm_suites array from
NL80211_ATTR_AKM_SUITES. In addition, there was no explicit
validation of the array length (we only have room for
NL80211_MAX_NR_AKM_SUITES).

This can result in a buffer write overflow for stack variables with
arbitrary data from user space. The nl80211 commands using the affected
functionality require GENL_ADMIN_PERM, so this is only exposed to admin
users.
Signed-off-by: default avatarJouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 8c1addec
Show whitespace changes
Inline Side-by-side
Showing with 4 additions and 1 deletion
net/wireless/nl80211.c
View file @ 3b83e963
......@@ -3364,9 +3364,12 @@ static int nl80211_crypto_settings(struct genl_info *info,
if (len % sizeof(u32))
return -EINVAL;
if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
return -EINVAL;
memcpy(settings->akm_suites, data, len);
for (i = 0; i < settings->n_ciphers_pairwise; i++)
for (i = 0; i < settings->n_akm_suites; i++)
if (!nl80211_valid_akm_suite(settings->akm_suites[i]))
return -EINVAL;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7