summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXinming Hu <huxm@marvell.com>2014-12-26 03:02:32 -0800
committerKalle Valo <kvalo@codeaurora.org>2015-01-06 21:09:25 +0200
commit2ab87d5d670d6946cae03b519ab9ef76c932d1a3 (patch)
tree9110d70cd47d3ec4c9305c72ad40f5b793a722e3
parentbd7d0d103ae8c841c0e2b9fd6c5e591b2fae3bb5 (diff)
downloadlinux-2ab87d5d670d6946cae03b519ab9ef76c932d1a3.tar.bz2
mwifiex: do not send key material cmd when delete wep key
This patch fixes memory corruption reported by community developer. "Memory corruption occurs in mwifiex_ret_802_11_key_material_v1() when a short command response is received without a key length causing non initialised memory to be interpreted as the key length resulting in a memcpy() overwriting the part of the driver's private data structure beyond the key area." For v1 key material API firmwares, there is no need to send command to delete WEP key. WEP encryption/decryption is controlled by mac_control command. This patch avoids sending key material command in del_key case. Reported-by: Martin Fuzzey <mfuzzey@parkeon.com> Signed-off-by: Xinming Hu <huxm@marvell.com> Signed-off-by: Cathy Luo <cluo@marvell.com> Signed-off-by: Avinash Patil <patila@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-rw-r--r--drivers/net/wireless/mwifiex/sta_ioctl.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
index 1626868a4b5c..fb9c5fc83e5d 100644
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -902,9 +902,12 @@ static int mwifiex_sec_ioctl_set_wep_key(struct mwifiex_private *priv,
if (wep_key->key_length) {
void *enc_key;
- if (encrypt_key->key_disable)
+ if (encrypt_key->key_disable) {
memset(&priv->wep_key[index], 0,
sizeof(struct mwifiex_wep_key));
+ if (wep_key->key_length)
+ goto done;
+ }
if (adapter->key_api_major_ver == KEY_API_VER_MAJOR_V2)
enc_key = encrypt_key;
@@ -918,6 +921,7 @@ static int mwifiex_sec_ioctl_set_wep_key(struct mwifiex_private *priv,
return ret;
}
+done:
if (priv->sec_info.wep_enabled)
priv->curr_pkt_filter |= HostCmd_ACT_MAC_WEP_ENABLE;
else