cfg80211: Fix validation of AKM suites

commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream. Incorrect variable was used in validating the akm_suites array from NL80211_ATTR_AKM_SUITES. In addition, there was no explicit validation of the array length (we only have room for NL80211_MAX_NR_AKM_SUITES). This can result in a buffer write overflow for stack variables with arbitrary data from user space. The nl80211 commands using the affected functionality require GENL_ADMIN_PERM, so this is only exposed to admin users. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
author: Jouni Malinen <jouni@qca.qualcomm.com> 2011-09-21 16:13:07 +0300
committer: Paul Gortmaker <paul.gortmaker@windriver.com> 2012-08-17 15:35:22 -0400
commit: 9118b81229e62eb080ec68a1dc98b36c509b66d2 (patch)
tree: 16493d718b64edd2e17e3b57251fef99b09c4344 /net
parent: 78d645ad7c66e81342cfde0e90a701c32c11eee6 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 56bc9b99da22..fde82a8ac5da 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3537,9 +3537,12 @@ static int nl80211_crypto_settings(struct genl_info *info,
 		if (len % sizeof(u32))
 			return -EINVAL;
 
+		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
+			return -EINVAL;
+
 		memcpy(settings->akm_suites, data, len);
 
-		for (i = 0; i < settings->n_ciphers_pairwise; i++)
+		for (i = 0; i < settings->n_akm_suites; i++)
 			if (!nl80211_valid_akm_suite(settings->akm_suites[i]))
 				return -EINVAL;
 	}
author	Jouni Malinen <jouni@qca.qualcomm.com>	2011-09-21 16:13:07 +0300
committer	Paul Gortmaker <paul.gortmaker@windriver.com>	2012-08-17 15:35:22 -0400
commit	9118b81229e62eb080ec68a1dc98b36c509b66d2 (patch)
tree	16493d718b64edd2e17e3b57251fef99b09c4344 /net
parent	78d645ad7c66e81342cfde0e90a701c32c11eee6 (diff)