nl80211: check for the required netlink attributes presence

commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream. nl80211_set_rekey_data() does not check if the required attributes NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by users with CAP_NET_ADMIN privilege and may result in NULL dereference and a system crash. Add a check for the required attributes presence. This patch is based on the patch by bo Zhang. This fixes CVE-2017-12153. Change-Id: Ifb64d8c664a83433b8e623ecc45c64e3a0139153 References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046 Fixes: e5497d7 ("cfg80211/nl80211: support GTK rekey offload") Reported-by: bo Zhang <[email protected]> Signed-off-by: Vladis Dronov <[email protected]> Signed-off-by: Johannes Berg <[email protected]> Signed-off-by: Ben Hutchings <[email protected]> Signed-off-by: Francisco Franco <[email protected]>
franciscofranco · Dec 9, 2017 · 0626c11 · 0626c11
1 parent 0187ffd
commit 0626c11
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
@@ -6513,6 +6513,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
 	if (err)
 		return err;
 
+	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
+	    !tb[NL80211_REKEY_DATA_KCK])
+		return -EINVAL;
 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
 		return -ERANGE;
 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)