summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2015-05-05 17:32:29 +0300
committerJohannes Berg <johannes.berg@intel.com>2015-05-06 14:30:00 +0300
commite3a55b5399d55200c024fe0c2984dc7ad049da44 (patch)
tree3d01512741ad7b572f7ad25519680fe02dcce569
parenta31cf1c69e89e0c2d5515b04aca313f1014a714d (diff)
downloadlinux-e3a55b5399d55200c024fe0c2984dc7ad049da44.tar.xz
mac80211: validate cipher scheme PN length better
Currently, a cipher scheme can advertise an arbitrarily long sequence counter, but mac80211 only supports up to 16 bytes and the initial value from userspace will be truncated. Fix two things: * don't allow the driver to register anything longer than the 16 bytes that mac80211 reserves space for * require userspace to specify a starting value with the correct length (or none at all) Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-rw-r--r--net/mac80211/key.c10
-rw-r--r--net/mac80211/main.c5
2 files changed, 10 insertions, 5 deletions
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 0a5d5c5ad30f..2e677376c958 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -485,15 +485,17 @@ ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
break;
default:
if (cs) {
- size_t len = (seq_len > IEEE80211_MAX_PN_LEN) ?
- IEEE80211_MAX_PN_LEN : seq_len;
+ if (seq_len && seq_len != cs->pn_len) {
+ kfree(key);
+ return ERR_PTR(-EINVAL);
+ }
key->conf.iv_len = cs->hdr_len;
key->conf.icv_len = cs->mic_len;
for (i = 0; i < IEEE80211_NUM_TIDS + 1; i++)
- for (j = 0; j < len; j++)
+ for (j = 0; j < seq_len; j++)
key->u.gen.rx_pn[i][j] =
- seq[len - j - 1];
+ seq[seq_len - j - 1];
key->flags |= KEY_FLAG_CIPHER_SCHEME;
}
}
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index effe9d39cd7e..3c956c5f99b2 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -768,8 +768,11 @@ static int ieee80211_init_cipher_suites(struct ieee80211_local *local)
suites[w++] = WLAN_CIPHER_SUITE_BIP_GMAC_256;
}
- for (r = 0; r < local->hw.n_cipher_schemes; r++)
+ for (r = 0; r < local->hw.n_cipher_schemes; r++) {
suites[w++] = cs[r].cipher;
+ if (WARN_ON(cs[r].pn_len > IEEE80211_MAX_PN_LEN))
+ return -EINVAL;
+ }
}
local->hw.wiphy->cipher_suites = suites;