nl80211: fix per-station group key get/del and memory leak

commit 0fa7b39131576dd1baa6ca17fca53c65d7f62249 upstream. In case userspace attempts to obtain key information for or delete a unicast key, this is currently erroneously rejected unless the driver sets the WIPHY_FLAG_IBSS_RSN flag. Apparently enough drivers do so it was never noticed. Fix that, and while at it fix a potential memory leak: the error path in the get_key() function was placed after allocating a message but didn't free it - move it to a better place. Luckily admin permissions are needed to call this operation. Fixes: e31b82136d1ad ("cfg80211/mac80211: allow per-station GTKs") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nl80211: fix per-station group key get/del and memory leak
commit 0fa7b39131576dd1baa6ca17fca53c65d7f62249 upstream. In case userspace attempts to obtain key information for or delete a unicast key, this is currently erroneously rejected unless the driver sets the WIPHY_FLAG_IBSS_RSN flag. Apparently enough drivers do so it was never noticed. Fix that, and while at it fix a potential memory leak: the error path in the get_key() function was placed after allocating a message but didn't free it - move it to a better place. Luckily admin permissions are needed to call this operation. Fixes: e31b82136d1ad ("cfg80211/mac80211: allow per-station GTKs") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johannes Berg · Greg Kroah-Hartman
1 parent d75bd2a694
Showing 1 changed file with 4 additions and 5 deletions Side-by-side Diff
net/wireless/nl80211.c
@@ -2805,6 +2805,9 @@
 	if (!rdev->ops->get_key)
 		return -EOPNOTSUPP;
  
+	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
+		return -ENOENT;
+
 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
 	if (!msg)
 		return -ENOMEM;
@@ -2824,10 +2827,6 @@
 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
 		goto nla_put_failure;
  
-	if (pairwise && mac_addr &&
-	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
-		return -ENOENT;
-
 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
 			   get_key_callback);
  
@@ -2998,7 +2997,7 @@
 	wdev_lock(dev->ieee80211_ptr);
 	err = nl80211_key_allowed(dev->ieee80211_ptr);
  
-	if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
+	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
 		err = -ENOENT;
...	...	@@ -2805,6 +2805,9 @@
2805	2805	if (!rdev->ops->get_key)
2806	2806	return -EOPNOTSUPP;
2807	2807
	2808	+ if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
	2809	+ return -ENOENT;
	2810	+
2808	2811	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2809	2812	if (!msg)
2810	2813	return -ENOMEM;
...	...	@@ -2824,10 +2827,6 @@
2824	2827	nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
2825	2828	goto nla_put_failure;
2826	2829
2827		- if (pairwise && mac_addr &&
2828		- !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
2829		- return -ENOENT;
2830		-
2831	2830	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
2832	2831	get_key_callback);
2833	2832
...	...	@@ -2998,7 +2997,7 @@
2998	2997	wdev_lock(dev->ieee80211_ptr);
2999	2998	err = nl80211_key_allowed(dev->ieee80211_ptr);
3000	2999
3001		- if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
	3000	+ if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3002	3001	!(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3003	3002	err = -ENOENT;
3004	3003