Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aeb136c5 authored by Max Stepanov's avatar Max Stepanov Committed by Johannes Berg
Browse files

mac80211: fix a potential NULL access in ieee80211_crypto_hw_decrypt 



The NULL pointer access could happen when ieee80211_crypto_hw_decrypt
is called from ieee80211_rx_h_decrypt with the following condition:
1. rx->key->conf.cipher is not WEP, CCMP, TKIP or AES_CMAC
2. rx->sta is NULL

When ieee80211_crypto_hw_decrypt is called, it verifies
rx->sta->cipher_scheme and it will cause Oops if rx->sta is NULL.

This path adds an addirional rx->sta == NULL verification in
ieee80211_crypto_hw_decrypt for this case.

Signed-off-by: default avatarMax Stepanov <Max.Stepanov@intel.com>
Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent fa96aabb

net/mac80211/wpa.c

+1 −1
Original line number Diff line number Diff line
@@ -811,7 +811,7 @@ ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx) 
ieee80211_rx_result

ieee80211_crypto_hw_decrypt(struct ieee80211_rx_data *rx)

{

	if (rx->sta->cipher_scheme)

	if (rx->sta && rx->sta->cipher_scheme)

		return ieee80211_crypto_cs_decrypt(rx);



	return RX_DROP_UNUSABLE;