mac80211: check pairwise key_idx on get_key call Verify that a pairwise key index value on ieee80211_get_key call doesn't exceed the boundaries of the pairwise key array. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>

commit: 354e159d8c9970969873d66a789d3ac4528c44ff [log] [tgz]
author: Max Stepanov <Max.Stepanov@intel.com> Sun Dec 08 13:30:52 2013 +0200
committer: Johannes Berg <johannes.berg@intel.com> Mon Dec 16 15:10:10 2013 +0100
tree: e4952fce57368a9dbc3b56861643d8d091b7a0f7
parent: dddd586bee9325e890a671f8e24ae39418338295 [diff] [blame]
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 35bb71b..0962c77 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c

@@ -301,9 +301,9 @@
 		if (!sta)
 			goto out;
 
-		if (pairwise)
+		if (pairwise && key_idx < NUM_DEFAULT_KEYS)
 			key = rcu_dereference(sta->ptk[key_idx]);
-		else if (key_idx < NUM_DEFAULT_KEYS)
+		else if (!pairwise && key_idx < NUM_DEFAULT_KEYS)
 			key = rcu_dereference(sta->gtk[key_idx]);
 	} else
 		key = rcu_dereference(sdata->keys[key_idx]);
commit	354e159d8c9970969873d66a789d3ac4528c44ff	[log] [tgz]
author	Max Stepanov <Max.Stepanov@intel.com>	Sun Dec 08 13:30:52 2013 +0200
committer	Johannes Berg <johannes.berg@intel.com>	Mon Dec 16 15:10:10 2013 +0100
tree	e4952fce57368a9dbc3b56861643d8d091b7a0f7
parent	dddd586bee9325e890a671f8e24ae39418338295 [diff] [blame]