Skip to content

Commit fd0e4c5

Browse files
davem330davem330
committed
Merge tag 'mac80211-for-davem-2017-11-19' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
Johannes Berg says: ==================== Just two netlink fixes, both allowing privileged users to crash the kernel with malformed netlink messages. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2 parents 3993491 + 265698d commit fd0e4c5

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

net/wireless/nl80211.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9987,6 +9987,9 @@ static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
99879987
if (err)
99889988
return err;
99899989

9990+
if (!setup.chandef.chan)
9991+
return -EINVAL;
9992+
99909993
err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
99919994
&setup.beacon_rate);
99929995
if (err)
@@ -10903,6 +10906,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
1090310906
if (err)
1090410907
return err;
1090510908

10909+
if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
10910+
!tb[NL80211_REKEY_DATA_KCK])
10911+
return -EINVAL;
1090610912
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
1090710913
return -ERANGE;
1090810914
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)

0 commit comments

Comments
 (0)