diff mbox series

[10/15] mac80211: bail out if cipher schemes are invalid

Message ID	iwlwifi.20210409123755.381cfb3f1dc1.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid
State	New
Headers	show Return-Path: <linux-wireless-owner@kernel.org> From: Luca Coelho <luca@coelho.fi> To: johannes@sipsolutions.net Cc: linux-wireless@vger.kernel.org Date: Fri, 9 Apr 2021 12:40:23 +0300 Message-Id: <iwlwifi.20210409123755.381cfb3f1dc1.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid> In-Reply-To: <20210409094028.356611-1-luca@coelho.fi> References: <20210409094028.356611-1-luca@coelho.fi> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [PATCH 10/15] mac80211: bail out if cipher schemes are invalid Precedence: bulk
Series	cfg80211/mac80211 patches from our internal tree 2021-04-09 \| expand [00/15] cfg80211/mac80211 patches from our internal tree 2021-04-09 [01/15] mac80211: drop the connection if firmware crashed while in CSA [02/15] nl80211: Add new RSNXE related nl80211 extended features [03/15] mac80211: properly drop the connection in case of invalid CSA IE [04/15] wireless: align some HE capabilities with the spec [05/15] cfg80211: don't WARN if a self-managed device doesn't have a regdom [06/15] mac80211: make ieee80211_vif_to_wdev work when the vif isn't in the driver [07/15] wireless: align HE capabilities A-MPDU Length Exponent Extension [08/15] cfg80211: allow to specifying a reason for hw_rfkill [09/15] cfg80211: Remove wrong RNR IE validation check [10/15] mac80211: bail out if cipher schemes are invalid [11/15] wireless: fix spelling of A-MSDU in HE capabilities [12/15] nl80211/cfg80211: add a flag to negotiate for LMR feedback in NDP ranging [13/15] ieee80211: add the values of ranging parameters max LTF total field [14/15] mac80211: clear the beacon's CRC after channel switch [15/15] mac80211: aes_cmac: check crypto_shash_setkey() return value

Commit Message

Luca Coelho April 9, 2021, 9:40 a.m. UTC

From: Johannes Berg <johannes.berg@intel.com>

If any of the cipher schemes specified by the driver are invalid, bail
out and fail the registration rather than just warning.  Otherwise, we
might later crash when we try to use the invalid cipher scheme, e.g.
if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd
have an out-of-bounds access in RX validation.

Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
 net/mac80211/main.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff mbox series

Patch

diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index f27aed37ed2b..ba624cb250b3 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1137,8 +1137,11 @@  int ieee80211_register_hw(struct ieee80211_hw *hw)
 	if (local->hw.wiphy->max_scan_ie_len)
 		local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len;
 
-	WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
-					 local->hw.n_cipher_schemes));
+	if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
+					     local->hw.n_cipher_schemes))) {
+		result = -EINVAL;
+		goto fail_workqueue;
+	}
 
 	result = ieee80211_init_cipher_suites(local);
 	if (result < 0)