From 354e159d8c9970969873d66a789d3ac4528c44ff Mon Sep 17 00:00:00 2001 From: Max Stepanov Date: Sun, 8 Dec 2013 13:30:52 +0200 Subject: mac80211: check pairwise key_idx on get_key call Verify that a pairwise key index value on ieee80211_get_key call doesn't exceed the boundaries of the pairwise key array. Signed-off-by: Max Stepanov Signed-off-by: Johannes Berg --- net/mac80211/cfg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'net/mac80211') diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 35bb71be72bb..0962c77f013e 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -301,9 +301,9 @@ static int ieee80211_get_key(struct wiphy *wiphy, struct net_device *dev, if (!sta) goto out; - if (pairwise) + if (pairwise && key_idx < NUM_DEFAULT_KEYS) key = rcu_dereference(sta->ptk[key_idx]); - else if (key_idx < NUM_DEFAULT_KEYS) + else if (!pairwise && key_idx < NUM_DEFAULT_KEYS) key = rcu_dereference(sta->gtk[key_idx]); } else key = rcu_dereference(sdata->keys[key_idx]); -- cgit v1.2.3