Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1b9ca027 authored by Jouni Malinen's avatar Jouni Malinen Committed by John W. Linville
Browse files

cfg80211: Fix validation of AKM suites 



Incorrect variable was used in validating the akm_suites array from
NL80211_ATTR_AKM_SUITES. In addition, there was no explicit
validation of the array length (we only have room for
NL80211_MAX_NR_AKM_SUITES).

This can result in a buffer write overflow for stack variables with
arbitrary data from user space. The nl80211 commands using the affected
functionality require GENL_ADMIN_PERM, so this is only exposed to admin
users.

Cc: stable@kernel.org
Signed-off-by: default avatarJouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 65d0f19e

net/wireless/nl80211.c

+4 −1
Original line number Diff line number Diff line
@@ -4113,9 +4113,12 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev, 
		if (len % sizeof(u32))

			return -EINVAL;



		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)

			return -EINVAL;



		memcpy(settings->akm_suites, data, len);



		for (i = 0; i < settings->n_ciphers_pairwise; i++)

		for (i = 0; i < settings->n_akm_suites; i++)

			if (!nl80211_valid_akm_suite(settings->akm_suites[i]))

				return -EINVAL;

	}