Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1219859pxf;
        Fri, 9 Apr 2021 03:08:03 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzzd1goy772QCkEzUtEZav4WOhaHeyfbIlbuv5W0SblPMRHkFCNBTx4pcuzCiwtDRoeyfcJ
X-Received: by 2002:a17:907:3f8b:: with SMTP id hr11mr15659466ejc.477.1617962882924;
        Fri, 09 Apr 2021 03:08:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617962882; cv=none;
        d=google.com; s=arc-20160816;
        b=lI533glrUOvuO2lTg6bkg+ll1qSrWWS559j6DJqg7jEzTl4+dDrR/ZfuqBhbX0+ccV
         aFoldCkdp/R8HoQYP23OXG0Xt0Qp6fEM3Efb8DdQzVQenO9pUvX1bpfcYJEHYkGRiJE9
         Ayky04pcQcY0uCG8zQEeRVOERJkZNhROYp1M8/ZRzeyahGFPoSNCVrXKo7V7nzIBak5m
         pl7h2HPxmI4jB0x3Rps1lZ6aJovQ9p10paxKmIxtppdtoLrmZvnhATYe/bfptZloIupQ
         +aVYykoKHN+Eq4Cw4d19POjo9s1s9kzXk+X4deAuNyv9pErm4ZNhQcZp4PJtXRc2fs7e
         Q/FA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:subject:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:cc:to:from;
        bh=Y79NQ/ob5tDpQMP3xQdBY2pQzm0e/dlF1BDTecomgNY=;
        b=A+iOw91xYHM1iUWtO1gufFJAwxv8o+w/0HyA5VbKPc3pG0dEFQESn7EjMTPmTmQK4f
         D/K43/sZoJMZCQn8RRerBFFEOqEVgA6DIcL/QEzBcdN/HoGKq7uLd/Z9w6LJR8FCMk7t
         KbBh+FNuMNG9DzHURK0NVee/I4c6ya/b0+QKLAWkmfMtbCl21DMSxY7qmaL8iH4lnZT9
         Ze1f8nWkV9Qyzyp7C11adHy88KL0l+s2Y41jwChK9C//WD/CgchzOI8fQQ43HMUhYG0+
         a+RK4kpVwQOBH7T0avHuApcQEj+35zQ9TqPgmSueL48W6+8al2xHLPpZRo9N161YrsDF
         Y8Uw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id gl1si1695680ejc.456.2021.04.09.03.07.38;
        Fri, 09 Apr 2021 03:08:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233663AbhDIKHP (ORCPT <rfc822;benjamin.aschenbrenner@gmail.com>
        + 99 others); Fri, 9 Apr 2021 06:07:15 -0400
Received: from paleale.coelho.fi ([176.9.41.70]:44300 "EHLO
        farmhouse.coelho.fi" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S234197AbhDIKFK (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Fri, 9 Apr 2021 06:05:10 -0400
Received: from 91-156-6-193.elisa-laajakaista.fi ([91.156.6.193] helo=kveik.ger.corp.intel.com)
        by farmhouse.coelho.fi with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.94)
        (envelope-from <luca@coelho.fi>)
        id 1lUncz-000ELR-2a; Fri, 09 Apr 2021 12:40:38 +0300
From:   Luca Coelho <luca@coelho.fi>
To:     johannes@sipsolutions.net
Cc:     linux-wireless@vger.kernel.org
Date:   Fri,  9 Apr 2021 12:40:23 +0300
Message-Id: <iwlwifi.20210409123755.381cfb3f1dc1.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid>
X-Mailer: git-send-email 2.31.0
In-Reply-To: <20210409094028.356611-1-luca@coelho.fi>
References: <20210409094028.356611-1-luca@coelho.fi>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Checker-Version: SpamAssassin 3.4.5-pre1 (2020-06-20) on
        farmhouse.coelho.fi
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00,
        TVD_RCVD_IP autolearn=ham autolearn_force=no version=3.4.5-pre1
Subject: [PATCH 10/15] mac80211: bail out if cipher schemes are invalid
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

From: Johannes Berg <johannes.berg@intel.com>

If any of the cipher schemes specified by the driver are invalid, bail
out and fail the registration rather than just warning.  Otherwise, we
might later crash when we try to use the invalid cipher scheme, e.g.
if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd
have an out-of-bounds access in RX validation.

Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
 net/mac80211/main.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index f27aed37ed2b..ba624cb250b3 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1137,8 +1137,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
 	if (local->hw.wiphy->max_scan_ie_len)
 		local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len;
 
-	WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
-					 local->hw.n_cipher_schemes));
+	if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
+					     local->hw.n_cipher_schemes))) {
+		result = -EINVAL;
+		goto fail_workqueue;
+	}
 
 	result = ieee80211_init_cipher_suites(local);
 	if (result < 0)
-- 
2.31.0