| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Jul 2019 20:36:33 +0800
From: Jia-Ju Bai <baijiaju1990@...il.com>
To: johannes@...solutions.net, davem@...emloft.net
Cc: linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, Jia-Ju Bai <baijiaju1990@...il.com>
Subject: [PATCH 2/2] net: mac80211: Fix possible null-pointer dereferences in ieee80211_xmit_fast_finish()
In ieee80211_xmit_fast_finish(), there is an if statement on line 3356
to check whether key is NULL:
if (key)
When key is NULL, it is used on line 3388:
switch (key->conf.cipher)
and line 3393:
pn = atomic64_inc_return(&key->conf.tx_pn);
and line 3396:
crypto_hdr[3] = 0x20 | (key->conf.keyidx << 6);
Thus, possible null-pointer dereferences may occur.
To fix these bugs, key is checked on line 3384.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai <baijiaju1990@...il.com>
---
net/mac80211/tx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index f13eb2f61ccf..2cc261165b91 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3381,7 +3381,7 @@ static void ieee80211_xmit_fast_finish(struct ieee80211_sub_if_data *sdata,
sta->tx_stats.bytes[skb_get_queue_mapping(skb)] += skb->len;
sta->tx_stats.packets[skb_get_queue_mapping(skb)]++;
- if (pn_offs) {
+ if (key && pn_offs) {
u64 pn;
u8 *crypto_hdr = skb->data + pn_offs;
--
2.17.0
Powered by blists - more mailing lists