Commit a916db4b2568837bc2f5bc3e2a97329af26c8dc4
Committed by
Greg Kroah-Hartman
1 parent
d75bd2a694
nl80211: fix per-station group key get/del and memory leak
commit 0fa7b39131576dd1baa6ca17fca53c65d7f62249 upstream. In case userspace attempts to obtain key information for or delete a unicast key, this is currently erroneously rejected unless the driver sets the WIPHY_FLAG_IBSS_RSN flag. Apparently enough drivers do so it was never noticed. Fix that, and while at it fix a potential memory leak: the error path in the get_key() function was placed after allocating a message but didn't free it - move it to a better place. Luckily admin permissions are needed to call this operation. Fixes: e31b82136d1ad ("cfg80211/mac80211: allow per-station GTKs") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Showing 1 changed file with 4 additions and 5 deletions Side-by-side Diff
net/wireless/nl80211.c
... | ... | @@ -2805,6 +2805,9 @@ |
2805 | 2805 | if (!rdev->ops->get_key) |
2806 | 2806 | return -EOPNOTSUPP; |
2807 | 2807 | |
2808 | + if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)) | |
2809 | + return -ENOENT; | |
2810 | + | |
2808 | 2811 | msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); |
2809 | 2812 | if (!msg) |
2810 | 2813 | return -ENOMEM; |
... | ... | @@ -2824,10 +2827,6 @@ |
2824 | 2827 | nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr)) |
2825 | 2828 | goto nla_put_failure; |
2826 | 2829 | |
2827 | - if (pairwise && mac_addr && | |
2828 | - !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)) | |
2829 | - return -ENOENT; | |
2830 | - | |
2831 | 2830 | err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie, |
2832 | 2831 | get_key_callback); |
2833 | 2832 | |
... | ... | @@ -2998,7 +2997,7 @@ |
2998 | 2997 | wdev_lock(dev->ieee80211_ptr); |
2999 | 2998 | err = nl80211_key_allowed(dev->ieee80211_ptr); |
3000 | 2999 | |
3001 | - if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr && | |
3000 | + if (key.type == NL80211_KEYTYPE_GROUP && mac_addr && | |
3002 | 3001 | !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)) |
3003 | 3002 | err = -ENOENT; |
3004 | 3003 |