| Message ID | 20210221174321.14210-1-aahringo@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | [wpan,1/4] net: ieee802154: fix nl802154 del llsec key | expand |
On Sun, 21 Feb 2021 12:43:18 -0500 Alexander Aring wrote: > This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is > not set by the user. If this is the case nl802154 will return -EINVAL. > > Reported-by: syzbot+ac5c11d2959a8b3c4806@syzkaller.appspotmail.com > Signed-off-by: Alexander Aring <aahringo@redhat.com> Looks like there is a wpan tree, but in recent years Dave just applies ieee802154 patches directly. I'm going to apply these directly as well, please let me know if I shouldn't, or more review time is needed.
Hello. On 21.02.21 18:43, Alexander Aring wrote: > This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is > not set by the user. If this is the case nl802154 will return -EINVAL. > > Reported-by: syzbot+ac5c11d2959a8b3c4806@syzkaller.appspotmail.com > Signed-off-by: Alexander Aring <aahringo@redhat.com> > --- > net/ieee802154/nl802154.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c > index 7c5a1aa5adb4..2f0a138bd5eb 100644 > --- a/net/ieee802154/nl802154.c > +++ b/net/ieee802154/nl802154.c > @@ -1592,7 +1592,8 @@ static int nl802154_del_llsec_key(struct sk_buff *skb, struct genl_info *info) > struct nlattr *attrs[NL802154_KEY_ATTR_MAX + 1]; > struct ieee802154_llsec_key_id id; > > - if (nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack)) > + if (!info->attrs[NL802154_ATTR_SEC_KEY] || > + nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack)) > return -EINVAL; > > if (ieee802154_llsec_parse_key_id(attrs[NL802154_KEY_ATTR_ID], &id) < 0) > This patch has been applied to the wpan tree and will be part of the next pull request to net. Thanks! regards Stefan Schmidt
diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c index 7c5a1aa5adb4..2f0a138bd5eb 100644 --- a/net/ieee802154/nl802154.c +++ b/net/ieee802154/nl802154.c @@ -1592,7 +1592,8 @@ static int nl802154_del_llsec_key(struct sk_buff *skb, struct genl_info *info) struct nlattr *attrs[NL802154_KEY_ATTR_MAX + 1]; struct ieee802154_llsec_key_id id; - if (nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack)) + if (!info->attrs[NL802154_ATTR_SEC_KEY] || + nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack)) return -EINVAL; if (ieee802154_llsec_parse_key_id(attrs[NL802154_KEY_ATTR_ID], &id) < 0)
This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is not set by the user. If this is the case nl802154 will return -EINVAL. Reported-by: syzbot+ac5c11d2959a8b3c4806@syzkaller.appspotmail.com Signed-off-by: Alexander Aring <aahringo@redhat.com> --- net/ieee802154/nl802154.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)