[patch] rndis_wlan: add range check in del

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [patch] rndis_wlan: add range check in del_key()
@ 2011-10-18  6:47 Dan Carpenter
  2011-10-18  6:54 ` Johannes Berg
  2011-10-18  7:07 ` Jussi Kivilinna
  0 siblings, 2 replies; 5+ messages in thread
From: Dan Carpenter @ 2011-10-18  6:47 UTC (permalink / raw)
  To: Jussi Kivilinna; +Cc: John W. Linville, linux-wireless, kernel-janitors

Wifi drivers can have up to 6 keys but the rndis_wlan only has 4 so
it needs to have its own checks to make sure we don't go out of
bounds.  The add_key() function already checks but I added some
checks to del_key() and set_default_key().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index 0c13840..da78369 100644
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -414,6 +414,7 @@ struct ndis_80211_pmkid {
 #define RNDIS_WLAN_ALG_TKIP	(1<<1)
 #define RNDIS_WLAN_ALG_CCMP	(1<<2)
 
+#define RNDIS_WLAN_NUM_KEYS		4
 #define RNDIS_WLAN_KEY_MGMT_NONE	0
 #define RNDIS_WLAN_KEY_MGMT_802_1X	(1<<0)
 #define RNDIS_WLAN_KEY_MGMT_PSK		(1<<1)
@@ -516,7 +517,7 @@ struct rndis_wlan_private {
 
 	/* encryption stuff */
 	int  encr_tx_key_index;
-	struct rndis_wlan_encr_key encr_keys[4];
+	struct rndis_wlan_encr_key encr_keys[RNDIS_WLAN_NUM_KEYS];
 	int  wpa_version;
 
 	u8 command_buffer[COMMAND_BUFFER_SIZE];
@@ -1535,6 +1536,9 @@ static int remove_key(struct usbnet *usbdev, int index, const u8 *bssid)
 	bool is_wpa;
 	int ret;
 
+	if (index >= RNDIS_WLAN_NUM_KEYS)
+		return -ENOENT;
+
 	if (priv->encr_keys[index].len == 0)
 		return 0;
 
@@ -2451,6 +2455,9 @@ static int rndis_set_default_key(struct wiphy *wiphy, struct net_device *netdev,
 
 	netdev_dbg(usbdev->net, "%s(%i)\n", __func__, key_index);
 
+	if (key_index >= RNDIS_WLAN_NUM_KEYS)
+		return -ENOENT;
+
 	priv->encr_tx_key_index = key_index;
 
 	if (is_wpa_key(priv, key_index))

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [patch] rndis_wlan: add range check in del_key()
  2011-10-18  6:47 [patch] rndis_wlan: add range check in del_key() Dan Carpenter
@ 2011-10-18  6:54 ` Johannes Berg
  2011-10-18  7:22   ` Dan Carpenter
  2011-10-18  7:07 ` Jussi Kivilinna
  1 sibling, 1 reply; 5+ messages in thread
From: Johannes Berg @ 2011-10-18  6:54 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Jussi Kivilinna, John W. Linville, linux-wireless,
	kernel-janitors

On Tue, 2011-10-18 at 09:47 +0300, Dan Carpenter wrote:
> Wifi drivers can have up to 6 keys but the rndis_wlan only has 4 so
> it needs to have its own checks to make sure we don't go out of
> bounds.  The add_key() function already checks but I added some
> checks to del_key() and set_default_key().

Semantically, that shouldn't be possible unless it advertises support
for WLAN_CIPHER_SUITE_AES_CMAC. Is there a bug in those checks?

The checks don't hurt, obviously.

johannes


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [patch] rndis_wlan: add range check in del_key()
  2011-10-18  6:47 [patch] rndis_wlan: add range check in del_key() Dan Carpenter
  2011-10-18  6:54 ` Johannes Berg
@ 2011-10-18  7:07 ` Jussi Kivilinna
  1 sibling, 0 replies; 5+ messages in thread
From: Jussi Kivilinna @ 2011-10-18  7:07 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: John W. Linville, linux-wireless, kernel-janitors

Quoting Dan Carpenter <dan.carpenter@oracle.com>:

> Wifi drivers can have up to 6 keys but the rndis_wlan only has 4 so
> it needs to have its own checks to make sure we don't go out of
> bounds.  The add_key() function already checks but I added some
> checks to del_key() and set_default_key().

Looks ok, thanks.

Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>

>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/net/wireless/rndis_wlan.c  
> b/drivers/net/wireless/rndis_wlan.c
> index 0c13840..da78369 100644
> --- a/drivers/net/wireless/rndis_wlan.c
> +++ b/drivers/net/wireless/rndis_wlan.c
> @@ -414,6 +414,7 @@ struct ndis_80211_pmkid {
>  #define RNDIS_WLAN_ALG_TKIP	(1<<1)
>  #define RNDIS_WLAN_ALG_CCMP	(1<<2)
>
> +#define RNDIS_WLAN_NUM_KEYS		4
>  #define RNDIS_WLAN_KEY_MGMT_NONE	0
>  #define RNDIS_WLAN_KEY_MGMT_802_1X	(1<<0)
>  #define RNDIS_WLAN_KEY_MGMT_PSK		(1<<1)
> @@ -516,7 +517,7 @@ struct rndis_wlan_private {
>
>  	/* encryption stuff */
>  	int  encr_tx_key_index;
> -	struct rndis_wlan_encr_key encr_keys[4];
> +	struct rndis_wlan_encr_key encr_keys[RNDIS_WLAN_NUM_KEYS];
>  	int  wpa_version;
>
>  	u8 command_buffer[COMMAND_BUFFER_SIZE];
> @@ -1535,6 +1536,9 @@ static int remove_key(struct usbnet *usbdev,  
> int index, const u8 *bssid)
>  	bool is_wpa;
>  	int ret;
>
> +	if (index >= RNDIS_WLAN_NUM_KEYS)
> +		return -ENOENT;
> +
>  	if (priv->encr_keys[index].len == 0)
>  		return 0;
>
> @@ -2451,6 +2455,9 @@ static int rndis_set_default_key(struct wiphy  
> *wiphy, struct net_device *netdev,
>
>  	netdev_dbg(usbdev->net, "%s(%i)\n", __func__, key_index);
>
> +	if (key_index >= RNDIS_WLAN_NUM_KEYS)
> +		return -ENOENT;
> +
>  	priv->encr_tx_key_index = key_index;
>
>  	if (is_wpa_key(priv, key_index))
>
>




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [patch] rndis_wlan: add range check in del_key()
  2011-10-18  6:54 ` Johannes Berg
@ 2011-10-18  7:22   ` Dan Carpenter
  2011-10-18  7:33     ` Johannes Berg
  0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2011-10-18  7:22 UTC (permalink / raw)
  To: Johannes Berg
  Cc: Jussi Kivilinna, John W. Linville, linux-wireless,
	kernel-janitors

On Tue, Oct 18, 2011 at 08:54:47AM +0200, Johannes Berg wrote:
> On Tue, 2011-10-18 at 09:47 +0300, Dan Carpenter wrote:
> > Wifi drivers can have up to 6 keys but the rndis_wlan only has 4 so
> > it needs to have its own checks to make sure we don't go out of
> > bounds.  The add_key() function already checks but I added some
> > checks to del_key() and set_default_key().
> 
> Semantically, that shouldn't be possible unless it advertises support
> for WLAN_CIPHER_SUITE_AES_CMAC. Is there a bug in those checks?
> 

You know I'm a newbie at this networking...  I obviously had no idea
about WLAN_CIPHER_SUITE_AES_CMAC until you mentioned it.  I just
looked at the other implementations of del_key() etc and they checked
it.  Monkey see, monkey do.

My concern when I wrote this patch was places like __cfg80211_clear_ibss()
which just do:

	for (i = 0; i < 6; i++)
		rdev->ops->del_key(wdev->wiphy, dev, i, false, NULL);

That's what triggers the Smatch warning as well.  But as I said, I'm
quite a newbie at this code.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [patch] rndis_wlan: add range check in del_key()
  2011-10-18  7:22   ` Dan Carpenter
@ 2011-10-18  7:33     ` Johannes Berg
  0 siblings, 0 replies; 5+ messages in thread
From: Johannes Berg @ 2011-10-18  7:33 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Jussi Kivilinna, John W. Linville, linux-wireless,
	kernel-janitors

On Tue, 2011-10-18 at 10:22 +0300, Dan Carpenter wrote:
> On Tue, Oct 18, 2011 at 08:54:47AM +0200, Johannes Berg wrote:
> > On Tue, 2011-10-18 at 09:47 +0300, Dan Carpenter wrote:
> > > Wifi drivers can have up to 6 keys but the rndis_wlan only has 4 so
> > > it needs to have its own checks to make sure we don't go out of
> > > bounds.  The add_key() function already checks but I added some
> > > checks to del_key() and set_default_key().
> > 
> > Semantically, that shouldn't be possible unless it advertises support
> > for WLAN_CIPHER_SUITE_AES_CMAC. Is there a bug in those checks?
> > 
> 
> You know I'm a newbie at this networking...  I obviously had no idea
> about WLAN_CIPHER_SUITE_AES_CMAC until you mentioned it.  I just
> looked at the other implementations of del_key() etc and they checked
> it.  Monkey see, monkey do.
> 
> My concern when I wrote this patch was places like __cfg80211_clear_ibss()
> which just do:
> 
> 	for (i = 0; i < 6; i++)
> 		rdev->ops->del_key(wdev->wiphy, dev, i, false, NULL);
> 
> That's what triggers the Smatch warning as well.  But as I said, I'm
> quite a newbie at this code.

Ah ok, I didn't know they didn't check. That's reasonable, thanks!

I was just thinking that we wouldn't have keys 4/5 w/o CMAC to start
with, but it makes some sense that the code would just try to clear all
keys.

johannes


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2011-10-18  7:33 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-18  6:47 [patch] rndis_wlan: add range check in del_key() Dan Carpenter
2011-10-18  6:54 ` Johannes Berg
2011-10-18  7:22   ` Dan Carpenter
2011-10-18  7:33     ` Johannes Berg
2011-10-18  7:07 ` Jussi Kivilinna

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).