mac80211: validate cipher scheme PN length better
authorJohannes Berg <johannes.berg@intel.com>
Tue, 5 May 2015 14:32:29 +0000 (16:32 +0200)
committerJohannes Berg <johannes.berg@intel.com>
Wed, 6 May 2015 11:30:00 +0000 (13:30 +0200)
Currently, a cipher scheme can advertise an arbitrarily long
sequence counter, but mac80211 only supports up to 16 bytes
and the initial value from userspace will be truncated.

Fix two things:
 * don't allow the driver to register anything longer than
   the 16 bytes that mac80211 reserves space for
 * require userspace to specify a starting value with the
   correct length (or none at all)

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/key.c
net/mac80211/main.c

index 0a5d5c5ad30fc8eb32ccb99d4380691c163f0ae8..2e677376c9585a58d1c8cbeb9390e3de3e4cafa3 100644 (file)
@@ -485,15 +485,17 @@ ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
                break;
        default:
                if (cs) {
-                       size_t len = (seq_len > IEEE80211_MAX_PN_LEN) ?
-                                               IEEE80211_MAX_PN_LEN : seq_len;
+                       if (seq_len && seq_len != cs->pn_len) {
+                               kfree(key);
+                               return ERR_PTR(-EINVAL);
+                       }
 
                        key->conf.iv_len = cs->hdr_len;
                        key->conf.icv_len = cs->mic_len;
                        for (i = 0; i < IEEE80211_NUM_TIDS + 1; i++)
-                               for (j = 0; j < len; j++)
+                               for (j = 0; j < seq_len; j++)
                                        key->u.gen.rx_pn[i][j] =
-                                                       seq[len - j - 1];
+                                                       seq[seq_len - j - 1];
                        key->flags |= KEY_FLAG_CIPHER_SCHEME;
                }
        }
index effe9d39cd7e44fbbd2369aec548d6cb92250733..3c956c5f99b2886bcd0516ee4ba598c02fb839bb 100644 (file)
@@ -768,8 +768,11 @@ static int ieee80211_init_cipher_suites(struct ieee80211_local *local)
                        suites[w++] = WLAN_CIPHER_SUITE_BIP_GMAC_256;
                }
 
-               for (r = 0; r < local->hw.n_cipher_schemes; r++)
+               for (r = 0; r < local->hw.n_cipher_schemes; r++) {
                        suites[w++] = cs[r].cipher;
+                       if (WARN_ON(cs[r].pn_len > IEEE80211_MAX_PN_LEN))
+                               return -EINVAL;
+               }
        }
 
        local->hw.wiphy->cipher_suites = suites;