summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2016-09-28 23:44:57 +0200
committerJohannes Berg <johannes.berg@intel.com>2016-09-28 23:55:23 +0200
commit8f7d99ba85d4d7118a6cf2d0ed9c2ff8e6528679 (patch)
treebaabc7b1c604ee8a97b5dd5833d0569e7fc44b43 /net
parent8564e38206de2ff005a27c8d7c2ce3869a44f0dd (diff)
downloadlinux-8f7d99ba85d4d7118a6cf2d0ed9c2ff8e6528679.tar.bz2
cfg80211: wext: really don't store non-WEP keys
Jouni reported that during (repeated) wext_pmf test runs (from the wpa_supplicant hwsim test suite) the kernel crashes. The reason is that after the key is set, the wext code still unnecessarily stores it into the key cache. Despite smatch pointing out an overflow, I failed to identify the possibility for this in the code and missed it during development of the earlier patch series. In order to fix this, simply check that we never store anything but WEP keys into the cache, adding a comment as to why that's enough. Also, since the cache is still allocated early even if it won't be used in many cases, add a comment explaining why - otherwise we'd have to roll back key settings to the driver in case of allocation failures, which is far more difficult. Fixes: 89b706fb28e4 ("cfg80211: reduce connect key caching struct size") Reported-by: Jouni Malinen <j@w1.fi> Bisected-by: Jouni Malinen <j@w1.fi> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net')
-rw-r--r--net/wireless/wext-compat.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index 7b97d43b27e1..2b096c02eb85 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -406,6 +406,10 @@ static int __cfg80211_set_encryption(struct cfg80211_registered_device *rdev,
if (pairwise && !addr)
return -EINVAL;
+ /*
+ * In many cases we won't actually need this, but it's better
+ * to do it first in case the allocation fails. Don't use wext.
+ */
if (!wdev->wext.keys) {
wdev->wext.keys = kzalloc(sizeof(*wdev->wext.keys),
GFP_KERNEL);
@@ -493,7 +497,13 @@ static int __cfg80211_set_encryption(struct cfg80211_registered_device *rdev,
if (err)
return err;
- if (!addr) {
+ /*
+ * We only need to store WEP keys, since they're the only keys that
+ * can be be set before a connection is established and persist after
+ * disconnecting.
+ */
+ if (!addr && (params->cipher == WLAN_CIPHER_SUITE_WEP40 ||
+ params->cipher == WLAN_CIPHER_SUITE_WEP104)) {
wdev->wext.keys->params[idx] = *params;
memcpy(wdev->wext.keys->data[idx],
params->key, params->key_len);