Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.19 / f1c1f17ac52d22227c0074b3d661d7ed692b707a^! / . / net / wireless
commitf1c1f17ac52d22227c0074b3d661d7ed692b707a[log] [tgz]
authorJohannes Berg <johannes.berg@intel.com>Tue Sep 13 17:08:23 2016 +0200
committerJohannes Berg <johannes.berg@intel.com>Thu Sep 15 16:45:41 2016 +0200
tree39a551700fae54fc01846f2e8f093c33eded483c
parent89b706fb28e431fa7639348536c284fb375eb3c0 [diff]
cfg80211: allow connect keys only with default (TX) key

There's no point in allowing connect keys when one of them
isn't also configured as the TX key, it would just confuse
drivers and probably cause them to pick something for TX.
Disallow this confusing and erroneous configuration.

As wpa_supplicant will always send NL80211_ATTR_KEYS, even
when there are no keys inside, allow that and treat it as
though the attribute isn't present at all.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index 896cbb2..eafdfa5 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c

@@ -114,6 +114,9 @@
 		}
 	}
 
+	if (WARN_ON(connkeys && connkeys->def < 0))
+		return -EINVAL;
+
 	if (WARN_ON(wdev->connect_keys))
 		kzfree(wdev->connect_keys);
 	wdev->connect_keys = connkeys;
@@ -289,7 +292,7 @@
 
 	wdev->wext.ibss.privacy = wdev->wext.default_key != -1;
 
-	if (wdev->wext.keys) {
+	if (wdev->wext.keys && wdev->wext.keys->def != -1) {
 		ck = kmemdup(wdev->wext.keys, sizeof(*ck), GFP_KERNEL);
 		if (!ck)
 			return -ENOMEM;

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 71af96e..f2a77c3 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c

@@ -848,6 +848,15 @@
 	struct nlattr *key;
 	struct cfg80211_cached_keys *result;
 	int rem, err, def = 0;
+	bool have_key = false;
+
+	nla_for_each_nested(key, keys, rem) {
+		have_key = true;
+		break;
+	}
+
+	if (!have_key)
+		return NULL;
 
 	result = kzalloc(sizeof(*result), GFP_KERNEL);
 	if (!result)
@@ -895,6 +904,11 @@
 			*no_ht = true;
 	}
 
+	if (result->def < 0) {
+		err = -EINVAL;
+		goto error;
+	}
+
 	return result;
  error:
 	kfree(result);

diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index add6824..c08a3b5 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c

@@ -1043,6 +1043,9 @@
 				connect->crypto.ciphers_pairwise[0] = cipher;
 			}
 		}
+	} else {
+		if (WARN_ON(connkeys))
+			return -EINVAL;
 	}
 
 	wdev->connect_keys = connkeys;

diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index f6523a4..88f1f69 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c

@@ -42,7 +42,7 @@
 	if (!wdev->wext.connect.ssid_len)
 		return 0;
 
-	if (wdev->wext.keys) {
+	if (wdev->wext.keys && wdev->wext.keys->def != -1) {
 		ck = kmemdup(wdev->wext.keys, sizeof(*ck), GFP_KERNEL);
 		if (!ck)
 			return -ENOMEM;