Commit fd0e4c59 authored by David S. Miller's avatar David S. Miller

Merge tag 'mac80211-for-davem-2017-11-19' of...

Merge tag 'mac80211-for-davem-2017-11-19' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
Just two netlink fixes, both allowing privileged users
to crash the kernel with malformed netlink messages.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 3993491b 265698d7
...@@ -9987,6 +9987,9 @@ static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info) ...@@ -9987,6 +9987,9 @@ static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
if (err) if (err)
return err; return err;
if (!setup.chandef.chan)
return -EINVAL;
err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band, err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
&setup.beacon_rate); &setup.beacon_rate);
if (err) if (err)
...@@ -10903,6 +10906,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info) ...@@ -10903,6 +10906,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
if (err) if (err)
return err; return err;
if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
!tb[NL80211_REKEY_DATA_KCK])
return -EINVAL;
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
return -ERANGE; return -ERANGE;
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN) if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment