Commit e3a55b53 authored by Johannes Berg's avatar Johannes Berg

mac80211: validate cipher scheme PN length better

Currently, a cipher scheme can advertise an arbitrarily long
sequence counter, but mac80211 only supports up to 16 bytes
and the initial value from userspace will be truncated.

Fix two things:
 * don't allow the driver to register anything longer than
   the 16 bytes that mac80211 reserves space for
 * require userspace to specify a starting value with the
   correct length (or none at all)
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent a31cf1c6
......@@ -485,15 +485,17 @@ ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
break;
default:
if (cs) {
size_t len = (seq_len > IEEE80211_MAX_PN_LEN) ?
IEEE80211_MAX_PN_LEN : seq_len;
if (seq_len && seq_len != cs->pn_len) {
kfree(key);
return ERR_PTR(-EINVAL);
}
key->conf.iv_len = cs->hdr_len;
key->conf.icv_len = cs->mic_len;
for (i = 0; i < IEEE80211_NUM_TIDS + 1; i++)
for (j = 0; j < len; j++)
for (j = 0; j < seq_len; j++)
key->u.gen.rx_pn[i][j] =
seq[len - j - 1];
seq[seq_len - j - 1];
key->flags |= KEY_FLAG_CIPHER_SCHEME;
}
}
......
......@@ -768,8 +768,11 @@ static int ieee80211_init_cipher_suites(struct ieee80211_local *local)
suites[w++] = WLAN_CIPHER_SUITE_BIP_GMAC_256;
}
for (r = 0; r < local->hw.n_cipher_schemes; r++)
for (r = 0; r < local->hw.n_cipher_schemes; r++) {
suites[w++] = cs[r].cipher;
if (WARN_ON(cs[r].pn_len > IEEE80211_MAX_PN_LEN))
return -EINVAL;
}
}
local->hw.wiphy->cipher_suites = suites;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment