Message ID | 20231004143740.40933-1-Igor.A.Artemiev@mcst.ru (mailing list archive) |
---|---|
State | Rejected |
Delegated to: | Johannes Berg |
Headers | show |
Series | [lvc-project] wifi: mac80211: fix buffer overflow in ieee80211_rx_get_bigtk() | expand |
On Wed, 2023-10-04 at 17:37 +0300, Igor Artemiev wrote:
> If 'idx' is 0
And ... how exactly do you propose that is going to happen?
johannes
On 10/4/23 17:58, Johannes Berg wrote:
> And ... how exactly do you propose that is going to happen?
'conf.keyidx', the value that is passed to the function, can be 0. But I
missed checking the second argument of the ieee80211_rx_get_bigtk()
function before calling it. Sorry to bother you.
Thanks,
Igor
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index e751cda5eef6..e686380434bd 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -1868,10 +1868,13 @@ ieee80211_rx_get_bigtk(struct ieee80211_rx_data *rx, int idx) key = rcu_dereference(rx->link_sta->gtk[idx]); if (!key) key = rcu_dereference(rx->link->gtk[idx]); - if (!key && rx->link_sta) - key = rcu_dereference(rx->link_sta->gtk[idx2]); - if (!key) - key = rcu_dereference(rx->link->gtk[idx2]); + + if (idx2 >= 0) { + if (!key && rx->link_sta) + key = rcu_dereference(rx->link_sta->gtk[idx2]); + if (!key) + key = rcu_dereference(rx->link->gtk[idx2]); + } return key; }
If 'idx' is 0, then 'idx2' is -1, and arrays will be accessed by a negative index. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Igor Artemiev <Igor.A.Artemiev@mcst.ru> --- net/mac80211/rx.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)