cfg80211: validate key index better Don't accept it if a key_idx < 0 snuck through, reject WEP keys with key index 4 and 5 (which are used for IGTKs) and don't allow IGTKs with key indices other than 4 and 5. This makes the key data match expectations better. Signed-off-by: Johannes Berg <johannes.berg@intel.com>

commit: e9c8f8d3a4d54106a30f2b981b53d658c9bc0c8e [log] [tgz]
author: Johannes Berg <johannes.berg@intel.com> Tue Sep 13 16:37:40 2016 +0200
committer: Johannes Berg <johannes.berg@intel.com> Tue Sep 13 20:20:53 2016 +0200
tree: 0df9a19b7ed74f0bd7a4fd3d1386d7fdeab184b1
parent: 9381e267b69acfea96c8429dc99da3e78835cef1 [diff] [blame]
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 0675f51..12e2d3f 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c

@@ -218,7 +218,7 @@
 				   struct key_params *params, int key_idx,
 				   bool pairwise, const u8 *mac_addr)
 {
-	if (key_idx > 5)
+	if (key_idx < 0 || key_idx > 5)
 		return -EINVAL;
 
 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
@@ -249,7 +249,13 @@
 		/* Disallow BIP (group-only) cipher as pairwise cipher */
 		if (pairwise)
 			return -EINVAL;
+		if (key_idx < 4)
+			return -EINVAL;
 		break;
+	case WLAN_CIPHER_SUITE_WEP40:
+	case WLAN_CIPHER_SUITE_WEP104:
+		if (key_idx > 3)
+			return -EINVAL;
 	default:
 		break;
 	}
commit	e9c8f8d3a4d54106a30f2b981b53d658c9bc0c8e	[log] [tgz]
author	Johannes Berg <johannes.berg@intel.com>	Tue Sep 13 16:37:40 2016 +0200
committer	Johannes Berg <johannes.berg@intel.com>	Tue Sep 13 20:20:53 2016 +0200
tree	0df9a19b7ed74f0bd7a4fd3d1386d7fdeab184b1
parent	9381e267b69acfea96c8429dc99da3e78835cef1 [diff] [blame]