e9a47662ff
commit 3dc289f8f139997f4e9d3cfccf8738f20d23e47b upstream. In nl80211_parse_key(), key.idx is first initialized as -1. If this value of key.idx remains unmodified and gets returned, and nl80211_key_allowed() also returns 0, then rdev_del_key() gets called with key.idx = -1. This causes an out-of-bounds array access. Handle this issue by checking if the value of key.idx after nl80211_parse_key() is called and return -EINVAL if key.idx < 0. Change-Id: Ie00275076bb4ee6a31d0e59b4b0e477ae732327d Cc: stable@vger.kernel.org Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> Link: https://lore.kernel.org/r/20201007035401.9522-1-anant.thazhemadam@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| Kconfig | ||
| Makefile | ||
| ap.c | ||
| chan.c | ||
| core.c | ||
| core.h | ||
| db.txt | ||
| debugfs.c | ||
| debugfs.h | ||
| ethtool.c | ||
| ethtool.h | ||
| genregdb.awk | ||
| ibss.c | ||
| lib80211.c | ||
| lib80211_crypt_ccmp.c | ||
| lib80211_crypt_tkip.c | ||
| lib80211_crypt_wep.c | ||
| mesh.c | ||
| mlme.c | ||
| nl80211.c | ||
| nl80211.h | ||
| radiotap.c | ||
| rdev-ops.h | ||
| reg.c | ||
| reg.h | ||
| regdb.h | ||
| scan.c | ||
| sme.c | ||
| sysfs.c | ||
| sysfs.h | ||
| trace.c | ||
| trace.h | ||
| util.c | ||
| wext-compat.c | ||
| wext-compat.h | ||
| wext-core.c | ||
| wext-priv.c | ||
| wext-proc.c | ||
| wext-sme.c | ||
| wext-spy.c | ||