e9a47662ff
commit 3dc289f8f139997f4e9d3cfccf8738f20d23e47b upstream. In nl80211_parse_key(), key.idx is first initialized as -1. If this value of key.idx remains unmodified and gets returned, and nl80211_key_allowed() also returns 0, then rdev_del_key() gets called with key.idx = -1. This causes an out-of-bounds array access. Handle this issue by checking if the value of key.idx after nl80211_parse_key() is called and return -EINVAL if key.idx < 0. Change-Id: Ie00275076bb4ee6a31d0e59b4b0e477ae732327d Cc: stable@vger.kernel.org Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> Link: https://lore.kernel.org/r/20201007035401.9522-1-anant.thazhemadam@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
---|---|---|
.. | ||
.gitignore | ||
Kconfig | ||
Makefile | ||
ap.c | ||
chan.c | ||
core.c | ||
core.h | ||
db.txt | ||
debugfs.c | ||
debugfs.h | ||
ethtool.c | ||
ethtool.h | ||
genregdb.awk | ||
ibss.c | ||
lib80211.c | ||
lib80211_crypt_ccmp.c | ||
lib80211_crypt_tkip.c | ||
lib80211_crypt_wep.c | ||
mesh.c | ||
mlme.c | ||
nl80211.c | ||
nl80211.h | ||
radiotap.c | ||
rdev-ops.h | ||
reg.c | ||
reg.h | ||
regdb.h | ||
scan.c | ||
sme.c | ||
sysfs.c | ||
sysfs.h | ||
trace.c | ||
trace.h | ||
util.c | ||
wext-compat.c | ||
wext-compat.h | ||
wext-core.c | ||
wext-priv.c | ||
wext-proc.c | ||
wext-sme.c | ||
wext-spy.c |