mac80211: fix a potential NULL access in ieee80211_crypto_hw_decrypt The NULL pointer access could happen when ieee80211_crypto_hw_decrypt is called from ieee80211_rx_h_decrypt with the following condition: 1. rx->key->conf.cipher is not WEP, CCMP, TKIP or AES_CMAC 2. rx->sta is NULL When ieee80211_crypto_hw_decrypt is called, it verifies rx->sta->cipher_scheme and it will cause Oops if rx->sta is NULL. This path adds an addirional rx->sta == NULL verification in ieee80211_crypto_hw_decrypt for this case. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>

commit: aeb136c5b433377324f030b1a50b96eb7a99193b [log] [tgz]
author: Max Stepanov <Max.Stepanov@intel.com> Wed Jul 09 16:55:32 2014 +0300
committer: Johannes Berg <johannes.berg@intel.com> Mon Jul 21 12:34:08 2014 +0200
tree: cbebda7a6a91bf5e6edc4b48ad3cbe29977288e1
parent: fa96aabb6a34eeb86ce6a5e1a3914fe9f106cfcc [diff] [blame]
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 9b3dcc2..f7d4ca4 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c

@@ -811,7 +811,7 @@
 ieee80211_rx_result
 ieee80211_crypto_hw_decrypt(struct ieee80211_rx_data *rx)
 {
-	if (rx->sta->cipher_scheme)
+	if (rx->sta && rx->sta->cipher_scheme)
 		return ieee80211_crypto_cs_decrypt(rx);
 
 	return RX_DROP_UNUSABLE;
commit	aeb136c5b433377324f030b1a50b96eb7a99193b	[log] [tgz]
author	Max Stepanov <Max.Stepanov@intel.com>	Wed Jul 09 16:55:32 2014 +0300
committer	Johannes Berg <johannes.berg@intel.com>	Mon Jul 21 12:34:08 2014 +0200
tree	cbebda7a6a91bf5e6edc4b48ad3cbe29977288e1
parent	fa96aabb6a34eeb86ce6a5e1a3914fe9f106cfcc [diff] [blame]