Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2995797pxa; Tue, 25 Aug 2020 08:41:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzY8rcrA7fSdBJvVz4mJ48xom21uQ5hVbHynx4qew36W/TG5z3W7cU130u+AU5W+1Vz0hx4 X-Received: by 2002:a05:6402:342:: with SMTP id r2mr6992087edw.353.1598370107626; Tue, 25 Aug 2020 08:41:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598370107; cv=none; d=google.com; s=arc-20160816; b=Ue0i2+oAgv9qkNxSpCXQO6VFx8uDgBdb014ydVwWvquy7ltoat6+WKKS7aLaMqZyV4 Dkb2PyJ4aBrEosfW0uN7+M/FCl1+wVG1lYE0Vzo1X9gsgWissAe40W5Aj2Ur5w+bDBRn uLAVfjKNX772WiTKUEOcY1/3Gr+HNEbUr4sLD+Om3kIKf98BW4ML13HkakEo28/6qyZ5 2Didf8kh+InsrR4+fCqIbmZdGC5BPcT1LAUqkdihFeLiL/NG5afZCSNyVK/cmXTUjqCU LjQyX1F/LiC70A/jNNUnBjP6yaqacz9xcvzwIUVsGr1yLSd7jzydcpxa4whxlwS70zdB lH5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:content-transfer-encoding:mime-version :message-id:date:subject:cc:from:dkim-signature; bh=aOC7A48azq7u/Y2PtBK0riAhUlLviqiXpwCgqBbMTlA=; b=QOKFKaJ5ZGBWspiubf82PrzDY010elEqraEk3RBorq9rhXJKFt/8Lh4M87dS6ms879 aBWksIDqbEmeN1F4vI9FAl5b9hDYP6xe8sb+L81HYVF8I+tovXoShbMKqTxPPLxiUNT1 X/IZIsyfh8in4hQe3SZXgCKF7gCbdO0cy0ZjCFDvemBKUMbvpMpYWh9xAobKZlme5OpY PcSbw8wLduHxMFT0wMrJmxyFOv1OKbKPN0OOyn6woQnPtI0t+ibr1A6SU9jYPuAJPg/U PIMHpf9aPhy1MgaLzBjT1vtKt/k6QOIhDwzYwnxYaWWsIq8DUqIlvjv1oPKYMSkHoKq0 EQzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=MiQdsXLB; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t22si9286865ejy.433.2020.08.25.08.41.05; Tue, 25 Aug 2020 08:41:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=MiQdsXLB; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726548AbgHYPio (ORCPT + 99 others); Tue, 25 Aug 2020 11:38:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726015AbgHYPim (ORCPT ); Tue, 25 Aug 2020 11:38:42 -0400 Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73CDDC061574; Tue, 25 Aug 2020 08:38:42 -0700 (PDT) Received: by mail-ej1-x641.google.com with SMTP id a26so17186240ejc.2; Tue, 25 Aug 2020 08:38:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=aOC7A48azq7u/Y2PtBK0riAhUlLviqiXpwCgqBbMTlA=; b=MiQdsXLBEShUJ3UfYx+HFrMQ3lqH48i2EWUdUukYa7h9wqemD9VAq/8/CVS6AEYiXM Q/nA1/NVN+JcYAUyeoJAj+IghWrQe+PELqxBqdmzWLXEkziwL4I+gylS8fXXupJkoA8V AI5dHIdhZlk7LU/XE4D0lC3euvaM5CmgZk5tjp+qkJUjGvkcyoHppfC2yX8NUrEaHo2a sYpbyGTI70YWCic4UMWwCS/7I+U/KgePrT1pkWY6qRUePX+3ugMWUSIKecu7wK8l/b1r 4c4jBek6Sl6QR3287MliHSSQCUTPB8MNXeuWUiapkF2kJUOSRItNM8PF37UFQ0arnAdu 8drQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=aOC7A48azq7u/Y2PtBK0riAhUlLviqiXpwCgqBbMTlA=; b=sPN4O4Rw/sPKR5hfJCleCPB1T42/rVOSDhhQ7ctlj6ouaBl3DjI2NsIt4BQr/ItZ5f vW4sx08f+QtceyO5XMrimgQ/lY0Ljn0oHGx2v10B4b5c8oLNnKbiV7+gceqkyt5bapWJ Jzia2F3JwmTo47EEX/sCdZdKo1UtAHIIBJm/wsczneFUr3D7AWLW4rFLcRqyZmK7Fdg7 kVddFekH6l9DKBk+Cn9SivE5y3u3jr5oyKLbE1SCsUurxrgSH+WyUYE/2/cs22w+sPZO T2NBF5/28iOZQ7ztnt9dAbVOSa1dvgABbXFewFgt4n+JmBWke2ITfpbHVD196x9UcybN ac5Q== X-Gm-Message-State: AOAM530IiVn69L7+1LLoN+vgrwOqVW9z6lri0+Houa0QEk46sZGzeizb rQL/Opa/Ph/bSVgOai5CdB4= X-Received: by 2002:a17:906:e24e:: with SMTP id gq14mr5213550ejb.378.1598369921131; Tue, 25 Aug 2020 08:38:41 -0700 (PDT) Received: from xws.fritz.box (pd9ea301b.dip0.t-ipconnect.de. [217.234.48.27]) by smtp.gmail.com with ESMTPSA id t22sm13105804ejf.24.2020.08.25.08.38.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Aug 2020 08:38:40 -0700 (PDT) From: Maximilian Luz Cc: Amitkumar Karwar , Ganapathi Bhat , Xinming Hu , Kalle Valo , "David S. Miller" , Jakub Kicinski , Dan Carpenter , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Maximilian Luz , Kaloyan Nikolov Subject: [PATCH net] mwifiex: Increase AES key storage size to 256 bits Date: Tue, 25 Aug 2020 17:38:29 +0200 Message-Id: <20200825153829.38043-1-luzmaximilian@gmail.com> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit To: unlisted-recipients:; (no To-header on input) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Following commit e18696786548 ("mwifiex: Prevent memory corruption handling keys") the mwifiex driver fails to authenticate with certain networks, specifically networks with 256 bit keys, and repeatedly asks for the password. The kernel log repeats the following lines (id and bssid redacted): mwifiex_pcie 0000:01:00.0: info: trying to associate to '' bssid mwifiex_pcie 0000:01:00.0: info: associated to bssid successfully mwifiex_pcie 0000:01:00.0: crypto keys added mwifiex_pcie 0000:01:00.0: info: successfully disconnected from : reason code 3 Tracking down this problem lead to the overflow check introduced by the aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This check fails on networks with 256 bit keys due to the current storage size for AES keys in struct mwifiex_aes_param being only 128 bit. To fix this issue, increase the storage size for AES keys to 256 bit. Signed-off-by: Maximilian Luz Reported-by: Kaloyan Nikolov Tested-by: Kaloyan Nikolov --- drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h index 8047e307892e3..d9f8bdbc817b2 100644 --- a/drivers/net/wireless/marvell/mwifiex/fw.h +++ b/drivers/net/wireless/marvell/mwifiex/fw.h @@ -954,7 +954,7 @@ struct mwifiex_tkip_param { struct mwifiex_aes_param { u8 pn[WPA_PN_SIZE]; __le16 key_len; - u8 key[WLAN_KEY_LEN_CCMP]; + u8 key[WLAN_KEY_LEN_CCMP_256]; } __packed; struct mwifiex_wapi_param { diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c index 962d8bfe6f101..119ccacd1fcc4 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c @@ -619,7 +619,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, key_v2 = &resp->params.key_material_v2; len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); - if (len > WLAN_KEY_LEN_CCMP) + if (len > sizeof(key_v2->key_param_set.key_params.aes.key)) return -EINVAL; if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { @@ -635,7 +635,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, return 0; memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, - WLAN_KEY_LEN_CCMP); + sizeof(key_v2->key_param_set.key_params.aes.key)); priv->aes_key_v2.key_param_set.key_params.aes.key_len = cpu_to_le16(len); memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, -- 2.28.0