diff options
| author | Gregory Greenman <gregory.greenman@intel.com> | 2023-06-13 15:57:21 +0300 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2023-06-14 12:32:20 +0200 |
| commit | 637452360ecde9ac972d19416e9606529576b302 (patch) | |
| tree | 6c607e759705cba4645c98d7898a5b16a215c3e1 /drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | |
| parent | 9c5608b3643e99ad03c4a99e88842f2a3ce7f1e0 (diff) | |
| download | linux-637452360ecde9ac972d19416e9606529576b302.tar.gz linux-637452360ecde9ac972d19416e9606529576b302.tar.bz2 linux-637452360ecde9ac972d19416e9606529576b302.zip | |
wifi: iwlwifi: mvm: fix potential array out of bounds access
Account for IWL_SEC_WEP_KEY_OFFSET when needed while verifying
key_len size in iwl_mvm_sec_key_add().
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230613155501.f193b7493a93.I6948ba625b9318924b96a5e22602ac75d2bd0125@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c')
| -rw-r--r-- | drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c index 3e6f86f644b5..995c0e01b331 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c @@ -1,6 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause /* - * Copyright (C) 2022 Intel Corporation + * Copyright (C) 2022 - 2023 Intel Corporation */ #include <linux/kernel.h> #include <net/mac80211.h> @@ -175,9 +175,14 @@ int iwl_mvm_mld_send_key(struct iwl_mvm *mvm, u32 sta_mask, u32 key_flags, .u.add.key_flags = cpu_to_le32(key_flags), .u.add.tx_seq = cpu_to_le64(atomic64_read(&keyconf->tx_pn)), }; + int max_key_len = sizeof(cmd.u.add.key); int ret; - if (WARN_ON(keyconf->keylen > sizeof(cmd.u.add.key))) + if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 || + keyconf->cipher == WLAN_CIPHER_SUITE_WEP104) + max_key_len -= IWL_SEC_WEP_KEY_OFFSET; + + if (WARN_ON(keyconf->keylen > max_key_len)) return -EINVAL; if (WARN_ON(!sta_mask)) |