diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2016-09-13 17:08:23 +0200 |
|---|---|---|
| committer | Alexander Grund <flamefire89@gmail.com> | 2023-11-09 19:17:24 +0100 |
| commit | 196f051e4dbc6530443109e06fcb309764cd5823 (patch) | |
| tree | e639d9bc7b08a7e609410a11fc961196f0f1e3e8 | |
| parent | 9ab0ab713c94a95b69769a60fec1b63c4a3b28df (diff) | |
cfg80211: allow connect keys only with default (TX) key
There's no point in allowing connect keys when one of them
isn't also configured as the TX key, it would just confuse
drivers and probably cause them to pick something for TX.
Disallow this confusing and erroneous configuration.
As wpa_supplicant will always send NL80211_ATTR_KEYS, even
when there are no keys inside, allow that and treat it as
though the attribute isn't present at all.
Change-Id: Ib3b7b5100cb2914c7f085597b36bb695b827e9ab
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: 66af4a2ab1d65 ("wifi: cfg80211: Fix use after free for wext")
Signed-off-by: Ulrich Hecht <uli+cip@fpond.eu>
| -rw-r--r-- | net/wireless/ibss.c | 5 | ||||
| -rw-r--r-- | net/wireless/nl80211.c | 14 | ||||
| -rw-r--r-- | net/wireless/sme.c | 3 | ||||
| -rw-r--r-- | net/wireless/wext-sme.c | 2 |
4 files changed, 22 insertions, 2 deletions
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c index d604c9f91b96..398fa066d249 100644 --- a/net/wireless/ibss.c +++ b/net/wireless/ibss.c @@ -114,6 +114,9 @@ static int __cfg80211_join_ibss(struct cfg80211_registered_device *rdev, } } + if (WARN_ON(connkeys && connkeys->def < 0)) + return -EINVAL; + if (WARN_ON(wdev->connect_keys)) kzfree(wdev->connect_keys); wdev->connect_keys = connkeys; @@ -292,7 +295,7 @@ int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev, wdev->wext.ibss.privacy = wdev->wext.default_key != -1; - if (wdev->wext.keys) { + if (wdev->wext.keys && wdev->wext.keys->def != -1) { ck = kmemdup(wdev->wext.keys, sizeof(*ck), GFP_KERNEL); if (!ck) return -ENOMEM; diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index b6ce2bcac4b9..780cf7bf841e 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -889,6 +889,15 @@ nl80211_parse_connkeys(struct cfg80211_registered_device *rdev, struct nlattr *key; struct cfg80211_cached_keys *result; int rem, err, def = 0; + bool have_key = false; + + nla_for_each_nested(key, keys, rem) { + have_key = true; + break; + } + + if (!have_key) + return NULL; result = kzalloc(sizeof(*result), GFP_KERNEL); if (!result) @@ -934,6 +943,11 @@ nl80211_parse_connkeys(struct cfg80211_registered_device *rdev, } } + if (result->def < 0) { + err = -EINVAL; + goto error; + } + return result; error: kfree(result); diff --git a/net/wireless/sme.c b/net/wireless/sme.c index ed772d4937a9..b3ce6a894af7 100644 --- a/net/wireless/sme.c +++ b/net/wireless/sme.c @@ -1116,6 +1116,9 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev, connect->crypto.ciphers_pairwise[0] = cipher; } } + } else { + if (WARN_ON(connkeys)) + return -EINVAL; } wdev->connect_keys = connkeys; diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c index 98ff9d9e1aa9..8cc9a5f406ee 100644 --- a/net/wireless/wext-sme.c +++ b/net/wireless/wext-sme.c @@ -43,7 +43,7 @@ int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev, if (!wdev->wext.connect.ssid_len) return 0; - if (wdev->wext.keys) { + if (wdev->wext.keys && wdev->wext.keys->def != -1) { ck = kmemdup(wdev->wext.keys, sizeof(*ck), GFP_KERNEL); if (!ck) return -ENOMEM; |