commit e3a55b5399d55200c024fe0c2984dc7ad049da44
author Johannes Berg <johannes.berg@intel.com> Tue May 05 16:32:29 2015 +0200
committer Johannes Berg <johannes.berg@intel.com> Wed May 06 13:30:00 2015 +0200
tree 3d01512741ad7b572f7ad25519680fe02dcce569
parent a31cf1c69e89e0c2d5515b04aca313f1014a714d

mac80211: validate cipher scheme PN length better

Currently, a cipher scheme can advertise an arbitrarily long
sequence counter, but mac80211 only supports up to 16 bytes
and the initial value from userspace will be truncated.

Fix two things:
 * don't allow the driver to register anything longer than
   the 16 bytes that mac80211 reserves space for
 * require userspace to specify a starting value with the
   correct length (or none at all)

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

net/mac80211/key.c

diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 0a5d5c5..2e67737 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -485,15 +485,17 @@
 		break;
 	default:
 		if (cs) {
-			size_t len = (seq_len > IEEE80211_MAX_PN_LEN) ?
-						IEEE80211_MAX_PN_LEN : seq_len;
+			if (seq_len && seq_len != cs->pn_len) {
+				kfree(key);
+				return ERR_PTR(-EINVAL);
+			}
 
 			key->conf.iv_len = cs->hdr_len;
 			key->conf.icv_len = cs->mic_len;
 			for (i = 0; i < IEEE80211_NUM_TIDS + 1; i++)
-				for (j = 0; j < len; j++)
+				for (j = 0; j < seq_len; j++)
 					key->u.gen.rx_pn[i][j] =
-							seq[len - j - 1];
+							seq[seq_len - j - 1];
 			key->flags |= KEY_FLAG_CIPHER_SCHEME;
 		}
 	}