mac80211: check pairwise key_idx on get_key call
authorMax Stepanov <Max.Stepanov@intel.com>
Sun, 8 Dec 2013 11:30:52 +0000 (13:30 +0200)
committerJohannes Berg <johannes.berg@intel.com>
Mon, 16 Dec 2013 14:10:10 +0000 (15:10 +0100)
Verify that a pairwise key index value on ieee80211_get_key call
doesn't exceed the boundaries of the pairwise key array.

Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/cfg.c

index 35bb71be72bbd2ed986681b91065128e77593fe5..0962c77f013e4adeba562319312c4f58c189299e 100644 (file)
@@ -301,9 +301,9 @@ static int ieee80211_get_key(struct wiphy *wiphy, struct net_device *dev,
                if (!sta)
                        goto out;
 
-               if (pairwise)
+               if (pairwise && key_idx < NUM_DEFAULT_KEYS)
                        key = rcu_dereference(sta->ptk[key_idx]);
-               else if (key_idx < NUM_DEFAULT_KEYS)
+               else if (!pairwise && key_idx < NUM_DEFAULT_KEYS)
                        key = rcu_dereference(sta->gtk[key_idx]);
        } else
                key = rcu_dereference(sdata->keys[key_idx]);