diff options
| author | Jouni Malinen <jouni@qca.qualcomm.com> | 2011-09-21 16:13:07 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-11-07 13:47:05 -0800 |
| commit | 29dacf8da41a41d3e439cce7f939adeb8bb4ab76 (patch) | |
| tree | 5cc336fae1ea7e3c8726c3005570f7714fd98b25 /net | |
| parent | 8608c3131f166b628f6ccd49d508b682adc95827 (diff) | |
cfg80211: Fix validation of AKM suites
commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream.
Incorrect variable was used in validating the akm_suites array from
NL80211_ATTR_AKM_SUITES. In addition, there was no explicit
validation of the array length (we only have room for
NL80211_MAX_NR_AKM_SUITES).
This can result in a buffer write overflow for stack variables with
arbitrary data from user space. The nl80211 commands using the affected
functionality require GENL_ADMIN_PERM, so this is only exposed to admin
users.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net')
| -rw-r--r-- | net/wireless/nl80211.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index eb1674f6bea..b1efd9d4a52 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -3539,9 +3539,12 @@ static int nl80211_crypto_settings(struct genl_info *info, if (len % sizeof(u32)) return -EINVAL; + if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES) + return -EINVAL; + memcpy(settings->akm_suites, data, len); - for (i = 0; i < settings->n_ciphers_pairwise; i++) + for (i = 0; i < settings->n_akm_suites; i++) if (!nl80211_valid_akm_suite(settings->akm_suites[i])) return -EINVAL; } |