| From 1b9ca0272ffae212e726380f66777b30a56ed7a5 Mon Sep 17 00:00:00 2001 |
| From: Jouni Malinen <jouni@qca.qualcomm.com> |
| Date: Wed, 21 Sep 2011 16:13:07 +0300 |
| Subject: cfg80211: Fix validation of AKM suites |
| |
| From: Jouni Malinen <jouni@qca.qualcomm.com> |
| |
| commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream. |
| |
| Incorrect variable was used in validating the akm_suites array from |
| NL80211_ATTR_AKM_SUITES. In addition, there was no explicit |
| validation of the array length (we only have room for |
| NL80211_MAX_NR_AKM_SUITES). |
| |
| This can result in a buffer write overflow for stack variables with |
| arbitrary data from user space. The nl80211 commands using the affected |
| functionality require GENL_ADMIN_PERM, so this is only exposed to admin |
| users. |
| |
| Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> |
| Signed-off-by: John W. Linville <linville@tuxdriver.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/wireless/nl80211.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| --- a/net/wireless/nl80211.c |
| +++ b/net/wireless/nl80211.c |
| @@ -3364,9 +3364,12 @@ static int nl80211_crypto_settings(struc |
| if (len % sizeof(u32)) |
| return -EINVAL; |
| |
| + if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES) |
| + return -EINVAL; |
| + |
| memcpy(settings->akm_suites, data, len); |
| |
| - for (i = 0; i < settings->n_ciphers_pairwise; i++) |
| + for (i = 0; i < settings->n_akm_suites; i++) |
| if (!nl80211_valid_akm_suite(settings->akm_suites[i])) |
| return -EINVAL; |
| } |