[PATCH AUTOSEL 6.4 17/26] wifi: iwlwifi: mvm: fix potential array out of bounds access

From: Sasha Levin
Date: Sun Jul 09 2023 - 11:14:22 EST


From: Gregory Greenman <gregory.greenman@xxxxxxxxx>

[ Upstream commit 637452360ecde9ac972d19416e9606529576b302 ]

Account for IWL_SEC_WEP_KEY_OFFSET when needed while verifying
key_len size in iwl_mvm_sec_key_add().

Signed-off-by: Gregory Greenman <gregory.greenman@xxxxxxxxx>
Link: https://lore.kernel.org/r/20230613155501.f193b7493a93.I6948ba625b9318924b96a5e22602ac75d2bd0125@changeid
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
index 8853821b37168..1e659bd07392a 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
/*
- * Copyright (C) 2022 Intel Corporation
+ * Copyright (C) 2022 - 2023 Intel Corporation
*/
#include <linux/kernel.h>
#include <net/mac80211.h>
@@ -179,9 +179,14 @@ int iwl_mvm_sec_key_add(struct iwl_mvm *mvm,
.u.add.key_flags = cpu_to_le32(key_flags),
.u.add.tx_seq = cpu_to_le64(atomic64_read(&keyconf->tx_pn)),
};
+ int max_key_len = sizeof(cmd.u.add.key);
int ret;

- if (WARN_ON(keyconf->keylen > sizeof(cmd.u.add.key)))
+ if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 ||
+ keyconf->cipher == WLAN_CIPHER_SUITE_WEP104)
+ max_key_len -= IWL_SEC_WEP_KEY_OFFSET;
+
+ if (WARN_ON(keyconf->keylen > max_key_len))
return -EINVAL;

if (WARN_ON(!sta_mask))
--
2.39.2