wifi: iwlwifi: mvm: fix potential array out of bounds access

author Gregory Greenman <gregory.greenman@intel.com>

Tue, 13 Jun 2023 12:57:21 +0000 (15:57 +0300)

committer Johannes Berg <johannes.berg@intel.com>

Wed, 14 Jun 2023 10:32:20 +0000 (12:32 +0200)
author Gregory Greenman <gregory.greenman@intel.com>
Tue, 13 Jun 2023 12:57:21 +0000 (15:57 +0300)
committer Johannes Berg <johannes.berg@intel.com>
Wed, 14 Jun 2023 10:32:20 +0000 (12:32 +0200)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c

index 3e6f86f644b581252e4a63594532798256c7bce9..995c0e01b331f2d828fd62b028718b9b72b19e1d 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
@@ -1,6 +1,6 @@
  // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
  /*
- * Copyright (C) 2022 Intel Corporation
+ * Copyright (C) 2022 - 2023 Intel Corporation
   */
  #include <linux/kernel.h>
  #include <net/mac80211.h>
@@ -175,9 +175,14 @@ int iwl_mvm_mld_send_key(struct iwl_mvm *mvm, u32 sta_mask, u32 key_flags,
                 .u.add.key_flags = cpu_to_le32(key_flags),
                 .u.add.tx_seq = cpu_to_le64(atomic64_read(&keyconf->tx_pn)),
         };
+       int max_key_len = sizeof(cmd.u.add.key);
         int ret;
  
-       if (WARN_ON(keyconf->keylen > sizeof(cmd.u.add.key)))
+       if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 ||
+           keyconf->cipher == WLAN_CIPHER_SUITE_WEP104)
+               max_key_len -= IWL_SEC_WEP_KEY_OFFSET;
+
+       if (WARN_ON(keyconf->keylen > max_key_len))
                 return -EINVAL;
  
         if (WARN_ON(!sta_mask))
author	Gregory Greenman <gregory.greenman@intel.com>
	Tue, 13 Jun 2023 12:57:21 +0000 (15:57 +0300)
committer	Johannes Berg <johannes.berg@intel.com>
	Wed, 14 Jun 2023 10:32:20 +0000 (12:32 +0200)