Commit 9f59089e authored by Maximilian Luz's avatar Maximilian Luz Committed by Greg Kroah-Hartman

mwifiex: Increase AES key storage size to 256 bits

[ Upstream commit 4afc850e ]

Following commit e1869678 ("mwifiex: Prevent memory corruption
handling keys") the mwifiex driver fails to authenticate with certain
networks, specifically networks with 256 bit keys, and repeatedly asks
for the password. The kernel log repeats the following lines (id and
bssid redacted):

    mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid <bssid>
    mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid> successfully
    mwifiex_pcie 0000:01:00.0: crypto keys added
    mwifiex_pcie 0000:01:00.0: info: successfully disconnected from <bssid>: reason code 3

Tracking down this problem lead to the overflow check introduced by the
aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
check fails on networks with 256 bit keys due to the current storage
size for AES keys in struct mwifiex_aes_param being only 128 bit.

To fix this issue, increase the storage size for AES keys to 256 bit.

Fixes: e1869678 ("mwifiex: Prevent memory corruption handling keys")
Signed-off-by: default avatarMaximilian Luz <luzmaximilian@gmail.com>
Reported-by: default avatarKaloyan Nikolov <konik98@gmail.com>
Tested-by: default avatarKaloyan Nikolov <konik98@gmail.com>
Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarBrian Norris <briannorris@chromium.org>
Tested-by: default avatarBrian Norris <briannorris@chromium.org>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 907a6ee8
...@@ -953,7 +953,7 @@ struct mwifiex_tkip_param { ...@@ -953,7 +953,7 @@ struct mwifiex_tkip_param {
struct mwifiex_aes_param { struct mwifiex_aes_param {
u8 pn[WPA_PN_SIZE]; u8 pn[WPA_PN_SIZE];
__le16 key_len; __le16 key_len;
u8 key[WLAN_KEY_LEN_CCMP]; u8 key[WLAN_KEY_LEN_CCMP_256];
} __packed; } __packed;
struct mwifiex_wapi_param { struct mwifiex_wapi_param {
......
...@@ -620,7 +620,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, ...@@ -620,7 +620,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
key_v2 = &resp->params.key_material_v2; key_v2 = &resp->params.key_material_v2;
len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len);
if (len > WLAN_KEY_LEN_CCMP) if (len > sizeof(key_v2->key_param_set.key_params.aes.key))
return -EINVAL; return -EINVAL;
if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) {
...@@ -636,7 +636,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, ...@@ -636,7 +636,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
return 0; return 0;
memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0,
WLAN_KEY_LEN_CCMP); sizeof(key_v2->key_param_set.key_params.aes.key));
priv->aes_key_v2.key_param_set.key_params.aes.key_len = priv->aes_key_v2.key_param_set.key_params.aes.key_len =
cpu_to_le16(len); cpu_to_le16(len);
memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment