diff options
author | David S. Miller <davem@davemloft.net> | 2017-09-19 20:51:08 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-09-19 20:51:08 +0300 |
commit | fd0e4c599969d4bdeb375fb82240f88bb896ae20 (patch) | |
tree | 2838c8be5d84f1d16e7fe6946062281a3ceb5234 | |
parent | 3993491bf27117782bee05debc6a6afa51d61760 (diff) | |
parent | 265698d7e6132a2d41471135534f4f36ad15b09c (diff) | |
download | linux-fd0e4c599969d4bdeb375fb82240f88bb896ae20.tar.xz |
Merge tag 'mac80211-for-davem-2017-11-19' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
Johannes Berg says:
====================
Just two netlink fixes, both allowing privileged users
to crash the kernel with malformed netlink messages.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/wireless/nl80211.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 0df8023f480b..690874293cfc 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -9987,6 +9987,9 @@ static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info) if (err) return err; + if (!setup.chandef.chan) + return -EINVAL; + err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band, &setup.beacon_rate); if (err) @@ -10903,6 +10906,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info) if (err) return err; + if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || + !tb[NL80211_REKEY_DATA_KCK]) + return -EINVAL; if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) return -ERANGE; if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN) |