diff options
| author | Vladis Dronov <vdronov@redhat.com> | 2017-09-13 00:21:21 +0200 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-10-16 16:03:07 +0200 |
| commit | 19cad8b371001e3157336b0a663b9442d9f05de7 (patch) | |
| tree | 90b5624452401f17f7dd343ae1ba261f37c4245f /net/wireless | |
| parent | 25e99df04b1d41338a2a2ada3941d3ee1dbb4673 (diff) | |
nl80211: check for the required netlink attributes presence
commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream.
nl80211_set_rekey_data() does not check if the required attributes
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
users with CAP_NET_ADMIN privilege and may result in NULL dereference
and a system crash. Add a check for the required attributes presence.
This patch is based on the patch by bo Zhang.
This fixes CVE-2017-12153.
Change-Id: Ia6ce5dd03a88412020e47a681cb75f4e8c1aafd8
References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
Reported-by: bo Zhang <zhangbo5891001@gmail.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'net/wireless')
| -rw-r--r-- | net/wireless/nl80211.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 713d9439b..0fa491daf 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -8119,6 +8119,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info) if (err) return err; + if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || + !tb[NL80211_REKEY_DATA_KCK]) + return -EINVAL; if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) return -ERANGE; if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN) |