All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] mac80211: fix a potential NULL access in ieee80211_crypto_hw_decrypt
@ 2014-07-09 13:55 Emmanuel Grumbach
  2014-07-21 10:34 ` Johannes Berg
  0 siblings, 1 reply; 2+ messages in thread
From: Emmanuel Grumbach @ 2014-07-09 13:55 UTC (permalink / raw)
  To: johannes; +Cc: linux-wireless, Max Stepanov, Emmanuel Grumbach

From: Max Stepanov <Max.Stepanov@intel.com>

The NULL pointer access could happen when ieee80211_crypto_hw_decrypt
is called from ieee80211_rx_h_decrypt with the following condition:
1. rx->key->conf.cipher is not WEP, CCMP, TKIP or AES_CMAC
2. rx->sta is NULL

When ieee80211_crypto_hw_decrypt is called, it verifies
rx->sta->cipher_scheme and it will cause Oops if rx->sta is NULL.

This path adds an addirional rx->sta == NULL verification in
ieee80211_crypto_hw_decrypt for this case.

Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
---
 net/mac80211/wpa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 9b3dcc2..f7d4ca4 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -811,7 +811,7 @@ ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx)
 ieee80211_rx_result
 ieee80211_crypto_hw_decrypt(struct ieee80211_rx_data *rx)
 {
-	if (rx->sta->cipher_scheme)
+	if (rx->sta && rx->sta->cipher_scheme)
 		return ieee80211_crypto_cs_decrypt(rx);
 
 	return RX_DROP_UNUSABLE;
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] mac80211: fix a potential NULL access in ieee80211_crypto_hw_decrypt
  2014-07-09 13:55 [PATCH] mac80211: fix a potential NULL access in ieee80211_crypto_hw_decrypt Emmanuel Grumbach
@ 2014-07-21 10:34 ` Johannes Berg
  0 siblings, 0 replies; 2+ messages in thread
From: Johannes Berg @ 2014-07-21 10:34 UTC (permalink / raw)
  To: Emmanuel Grumbach; +Cc: linux-wireless, Max Stepanov

On Wed, 2014-07-09 at 16:55 +0300, Emmanuel Grumbach wrote:
> From: Max Stepanov <Max.Stepanov@intel.com>
> 
> The NULL pointer access could happen when ieee80211_crypto_hw_decrypt
> is called from ieee80211_rx_h_decrypt with the following condition:
> 1. rx->key->conf.cipher is not WEP, CCMP, TKIP or AES_CMAC
> 2. rx->sta is NULL
> 
> When ieee80211_crypto_hw_decrypt is called, it verifies
> rx->sta->cipher_scheme and it will cause Oops if rx->sta is NULL.
> 
> This path adds an addirional rx->sta == NULL verification in
> ieee80211_crypto_hw_decrypt for this case.

Applied.

johannes


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-07-21 10:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-09 13:55 [PATCH] mac80211: fix a potential NULL access in ieee80211_crypto_hw_decrypt Emmanuel Grumbach
2014-07-21 10:34 ` Johannes Berg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.