mac80211: validate cipher scheme PN length better

Currently, a cipher scheme can advertise an arbitrarily long sequence counter, but mac80211 only supports up to 16 bytes and the initial value from userspace will be truncated. Fix two things: * don't allow the driver to register anything longer than the 16 bytes that mac80211 reserves space for * require userspace to specify a starting value with the correct length (or none at all) Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Johannes Berg 2015-05-05 16:32:29 +0200
committer: Johannes Berg 2015-05-06 13:30:00 +0200
commit: e3a55b5399d55200c024fe0c2984dc7ad049da44 (patch)
tree: 3d01512741ad7b572f7ad25519680fe02dcce569 /net/mac80211/main.c
parent: a31cf1c69e89e0c2d5515b04aca313f1014a714d (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index effe9d39cd7e..3c956c5f99b2 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -768,8 +768,11 @@ static int ieee80211_init_cipher_suites(struct ieee80211_local *local)
 			suites[w++] = WLAN_CIPHER_SUITE_BIP_GMAC_256;
 		}
 
-		for (r = 0; r < local->hw.n_cipher_schemes; r++)
+		for (r = 0; r < local->hw.n_cipher_schemes; r++) {
 			suites[w++] = cs[r].cipher;
+			if (WARN_ON(cs[r].pn_len > IEEE80211_MAX_PN_LEN))
+				return -EINVAL;
+		}
 	}
 
 	local->hw.wiphy->cipher_suites = suites;
author	Johannes Berg	2015-05-05 16:32:29 +0200
committer	Johannes Berg	2015-05-06 13:30:00 +0200
commit	e3a55b5399d55200c024fe0c2984dc7ad049da44 (patch)
tree	3d01512741ad7b572f7ad25519680fe02dcce569 /net/mac80211/main.c
parent	a31cf1c69e89e0c2d5515b04aca313f1014a714d (diff)