37 lines
1.5 KiB
Diff
37 lines
1.5 KiB
Diff
From: Vladis Dronov <vdronov@redhat.com>
|
|
Date: Tue, 12 Sep 2017 22:21:21 +0000
|
|
Subject: nl80211: check for the required netlink attributes presence
|
|
Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
|
|
|
|
nl80211_set_rekey_data() does not check if the required attributes
|
|
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
|
|
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
|
|
users with CAP_NET_ADMIN privilege and may result in NULL dereference
|
|
and a system crash. Add a check for the required attributes presence.
|
|
This patch is based on the patch by bo Zhang.
|
|
|
|
This fixes CVE-2017-12153.
|
|
|
|
References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
|
|
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
|
|
Cc: <stable@vger.kernel.org> # v3.1-rc1
|
|
Reported-by: bo Zhang <zhangbo5891001@gmail.com>
|
|
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
|
---
|
|
net/wireless/nl80211.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
--- a/net/wireless/nl80211.c
|
|
+++ b/net/wireless/nl80211.c
|
|
@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct
|
|
if (err)
|
|
return err;
|
|
|
|
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
|
|
+ !tb[NL80211_REKEY_DATA_KCK])
|
|
+ return -EINVAL;
|
|
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
|
|
return -ERANGE;
|
|
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
|