From: Jouni Malinen Date: Wed, 21 Sep 2011 13:13:07 +0000 (+0300) Subject: cfg80211: Fix validation of AKM suites X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=1b9ca0272ffae212e726380f66777b30a56ed7a5;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git cfg80211: Fix validation of AKM suites Incorrect variable was used in validating the akm_suites array from NL80211_ATTR_AKM_SUITES. In addition, there was no explicit validation of the array length (we only have room for NL80211_MAX_NR_AKM_SUITES). This can result in a buffer write overflow for stack variables with arbitrary data from user space. The nl80211 commands using the affected functionality require GENL_ADMIN_PERM, so this is only exposed to admin users. Cc: stable@kernel.org Signed-off-by: Jouni Malinen Signed-off-by: John W. Linville --- diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index e83e7fee3bc..ea40d540a99 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -4113,9 +4113,12 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev, if (len % sizeof(u32)) return -EINVAL; + if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES) + return -EINVAL; + memcpy(settings->akm_suites, data, len); - for (i = 0; i < settings->n_ciphers_pairwise; i++) + for (i = 0; i < settings->n_akm_suites; i++) if (!nl80211_valid_akm_suite(settings->akm_suites[i])) return -EINVAL; }