linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dan Williams <dcbw@redhat.com>
To: "John W. Linville" <linville@tuxdriver.com>
Cc: Johannes Berg <johannes@sipsolutions.net>,
	Tomas Winkler <tomasw@gmail.com>,
	Joonwoo Park <joonwpark81@gmail.com>,
	JMF <tolas_feup@hotmail.com>,
	linux-wireless@vger.kernel.org
Subject: Re: [PATCH] iwlwifi: fix oops on wep key insertion
Date: Fri, 27 Jun 2008 12:07:33 -0400	[thread overview]
Message-ID: <1214582853.10355.28.camel@localhost.localdomain> (raw)
In-Reply-To: <20080627152843.GA16003@tuxdriver.com>

On Fri, 2008-06-27 at 11:28 -0400, John W. Linville wrote:
> On Mon, Jun 16, 2008 at 10:46:29AM +0200, Johannes Berg wrote:
> > 
> > > > [PATCH] wireless: Limit wep key size to 128/104-bits
> > > >
> > > > This patch prevents overflow which is occured by invalid long wep key
> > > > insertion
> > > >
> > > > $sudo iwconfig wlan0 enc AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA-AAAA
> > > >
> > > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> > > > IP: [memcpy_c+0xb/0x20] memcpy_c+0xb/0x20
> > > > PGD 13a590067 PUD 12e471067 PMD 0
> > > > Oops: 0000 [1] PREEMPT SMP
> > > > CPU 1
> > > > ...
> > > > Pid: 10, comm: events/1 Not tainted 2.6.26-rc2 #9
> > > > ...
> > > > Call Trace:
> > > >  [iwl4965:iwl4965_rx_scan_start_notif+0xb/0x20] ? :iwl4965:iwl4965_enqueue_hcmd+0x12b/0x220
> > > >  [hci_usb:init_module+0xe97/0x28cb0] :iwlcore:iwl_send_cmd_sync+0x67/0x290
> > > >  [save_trace+0x3f/0xb0] ? save_trace+0x3f/0xb0
> > > > ...
> > > >
> > > > Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
> > > > ---
> > > >  net/wireless/wext.c |   11 ++++++++++-
> > 
> > I'm sure Jean will cry murder because he expects there are some stupid
> > full-mac cards that actually support other sizes.
> > 
> > Can't somebody just post a patch to mac80211 that only accepts the two
> > correct sizes like cfg80211 does?
> 
> Strawman patch below...

You need to allow 0 through, since you can just set the transmit key
index via ENCODE without setting the key.  So the legal values are 0, 5,
and 13.  Add 'case 0: /* just setting TX index */' or something and I'll
definitely ack it.

Dan

> ---
> 
> From: John W. Linville <linville@tuxdriver.com>
> Subject: [PATCH] mac80211: allow only standard size WEP keys through WEXT
> 
> Limit ieee80211_ioctl_siwencode to only accept standard sized WEP keys.
> 
> Signed-off-by: John W. Linville <linville@tuxdriver.com>
> ---
>  net/mac80211/wext.c |   10 ++++++++++
>  1 files changed, 10 insertions(+), 0 deletions(-)
> 
> diff --git a/net/mac80211/wext.c b/net/mac80211/wext.c
> index 5af3862..d16b975 100644
> --- a/net/mac80211/wext.c
> +++ b/net/mac80211/wext.c
> @@ -26,6 +26,8 @@
>  #include "wpa.h"
>  #include "aes_ccm.h"
>  
> +#define KEY_SIZE_WEP104 13      /* 104/128-bit WEP keys */
> +#define KEY_SIZE_WEP40  5       /* 40/64-bit WEP keys */
>  
>  static int ieee80211_set_encryption(struct net_device *dev, u8 *sta_addr,
>  				    int idx, int alg, int remove,
> @@ -879,6 +881,14 @@ static int ieee80211_ioctl_siwencode(struct net_device *dev,
>  	u8 bcaddr[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
>  	int remove = 0;
>  
> +	switch (erq->length) {
> +	case KEY_SIZE_WEP40:
> +	case KEY_SIZE_WEP104:
> +		break;
> +	default:
> +		return -EINVAL;
> +	}
> +
>  	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
>  
>  	idx = erq->flags & IW_ENCODE_INDEX;
> -- 
> 1.5.5.1
> 


  reply	other threads:[~2008-06-27 16:08 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-27  5:13 [PATCH] iwlwifi: fix oops on wep key insertion Joonwoo Park
2008-05-27  6:41 ` Tomas Winkler
2008-05-27  7:10   ` Joonwoo Park
2008-05-27 10:58   ` JMF
2008-05-27 12:41     ` Tomas Winkler
2008-05-27 13:53       ` Dan Williams
2008-05-28  0:41         ` John W. Linville
2008-06-15 16:46           ` Joonwoo Park
2008-06-15 16:53             ` Tomas Winkler
2008-06-16  8:46               ` Johannes Berg
2008-06-16 14:30                 ` Dan Williams
2008-06-27 15:28                 ` John W. Linville
2008-06-27 16:07                   ` Dan Williams [this message]
2008-06-27 16:22                     ` Tomas Winkler
2008-06-27 18:10                       ` Dan Williams
2008-06-27 19:12                         ` Johannes Berg
2008-06-27 23:33                           ` Tomas Winkler
2008-05-28 10:14         ` JMF

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1214582853.10355.28.camel@localhost.localdomain \
    --to=dcbw@redhat.com \
    --cc=johannes@sipsolutions.net \
    --cc=joonwpark81@gmail.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linville@tuxdriver.com \
    --cc=tolas_feup@hotmail.com \
    --cc=tomasw@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).