summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2017-09-19 20:51:08 +0300
committerDavid S. Miller <davem@davemloft.net>2017-09-19 20:51:08 +0300
commitfd0e4c599969d4bdeb375fb82240f88bb896ae20 (patch)
tree2838c8be5d84f1d16e7fe6946062281a3ceb5234
parent3993491bf27117782bee05debc6a6afa51d61760 (diff)
parent265698d7e6132a2d41471135534f4f36ad15b09c (diff)
downloadlinux-fd0e4c599969d4bdeb375fb82240f88bb896ae20.tar.xz
Merge tag 'mac80211-for-davem-2017-11-19' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
Johannes Berg says: ==================== Just two netlink fixes, both allowing privileged users to crash the kernel with malformed netlink messages. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/wireless/nl80211.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 0df8023f480b..690874293cfc 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9987,6 +9987,9 @@ static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
if (err)
return err;
+ if (!setup.chandef.chan)
+ return -EINVAL;
+
err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
&setup.beacon_rate);
if (err)
@@ -10903,6 +10906,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
if (err)
return err;
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
+ !tb[NL80211_REKEY_DATA_KCK])
+ return -EINVAL;
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
return -ERANGE;
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)