mac80211: bail out if cipher schemes are invalid

If any of the cipher schemes specified by the driver are invalid, bail out and fail the registration rather than just warning. Otherwise, we might later crash when we try to use the invalid cipher scheme, e.g. if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd have an out-of-bounds access in RX validation. Fixes: 2475b1cc ("mac80211: add generic cipher scheme support") Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeidSigned-off-by: Johannes Berg <johannes.berg@intel.com>

mac80211: bail out if cipher schemes are invalid
If any of the cipher schemes specified by the driver are invalid, bail out and fail the registration rather than just warning. Otherwise, we might later crash when we try to use the invalid cipher scheme, e.g. if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd have an out-of-bounds access in RX validation. Fixes: 2475b1cc ("mac80211: add generic cipher scheme support") Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeidSigned-off-by: Johannes Berg <johannes.berg@intel.com>
db878e27 · Johannes Berg · d6843d1e · db878e27
Commit db878e27 authored Apr 08, 2021 by Johannes Berg
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

net/mac80211/main.c net/mac80211/main.c +5 -2

No files found.
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1141,8 +1141,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
 	if (local->hw.wiphy->max_scan_ie_len)
 		local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len;

-	WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
-					 local->hw.n_cipher_schemes));
+	if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
+					     local->hw.n_cipher_schemes))) {
+		result = -EINVAL;
+		goto fail_workqueue;
+	}

 	result = ieee80211_init_cipher_suites(local);
 	if (result < 0)