linux-hardened/net
Petr Štetiar 1f951a7f8b mac80211: fix NULL pointer dereference in ieee80211_key_alloc()
The ieee80211_key struct can be kfree()d several times in the function, for
example if some of the key setup functions fails beforehand, but there's no
check if the struct is still valid before we call memcpy() and INIT_LIST_HEAD()
on it.  In some cases (like it was in my case), if there's missing aes-generic
module it could lead to the following kernel OOPS:

	Unable to handle kernel NULL pointer dereference at virtual address 0000018c
	....
	PC is at memcpy+0x80/0x29c
	...
	Backtrace:
	[<bf11c5e4>] (ieee80211_key_alloc+0x0/0x234 [mac80211]) from [<bf1148b4>] (ieee80211_add_key+0x70/0x12c [mac80211])
	[<bf114844>] (ieee80211_add_key+0x0/0x12c [mac80211]) from [<bf070cc0>] (__cfg80211_set_encryption+0x2a8/0x464 [cfg80211])

Signed-off-by: Petr Štetiar <ynezz@true.cz>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-03-28 15:42:02 -04:00
..
9p Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
802
8021q vlan: should take into account needed_headroom 2011-03-18 15:13:12 -07:00
appletalk appletalk: remove the BKL 2011-03-05 10:55:57 +01:00
atm ipv4: Create and use route lookup helpers. 2011-03-12 15:08:42 -08:00
ax25 net: ax25: fix information leak to userland harder 2011-01-12 00:34:49 -08:00
batman-adv Merge branch 'batman-adv/next' of git://git.open-mesh.org/ecsv/linux-merge 2011-03-07 00:37:13 -08:00
bluetooth Bluetooth: Fix warning with hci_cmd_timer 2011-03-24 17:04:44 -03:00
bridge bridge: Reset IPCB when entering IP stack on NF_FORWARD 2011-03-18 15:13:12 -07:00
caif Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-02-08 17:19:01 -08:00
can can: test size of struct sockaddr in sendmsg 2011-01-15 20:56:42 -08:00
ceph libceph: fix msgr standby handling 2011-03-04 12:25:05 -08:00
core ethtool: __ethtool_set_sg: check for function pointer before using it 2011-03-18 15:13:10 -07:00
dcb net: dcbnl: Update copyright dates 2011-03-14 17:02:42 -07:00
dccp net: Put fl6_* macros to struct flowi6 and use them again. 2011-03-12 15:08:55 -08:00
decnet decnet: Convert to use flowidn where applicable. 2011-03-12 15:08:55 -08:00
dns_resolver DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] 2011-03-04 09:56:19 +11:00
dsa dsa/mv88e6060: support nonzero mii base address 2011-03-08 14:24:20 -08:00
econet econet: 4 byte infoleak to the network 2011-03-18 15:12:15 -07:00
ethernet eth: fix new kernel-doc warning 2011-01-12 19:00:40 -08:00
ieee802154 net: RCU conversion of dev_getbyhwaddr() and arp_ioctl() 2010-12-08 10:07:24 -08:00
ipv4 netfilter: ipt_CLUSTERIP: fix buffer overflow 2011-03-20 15:42:52 +01:00
ipv6 netfilter: xtables: fix reentrancy 2011-03-20 15:40:06 +01:00
ipx ipx: remove the BKL 2011-03-05 10:55:58 +01:00
irda tty: now phase out the ioctl file pointer for good 2011-02-17 11:59:56 -08:00
iucv [S390] irq: have detailed statistics for interrupt types 2011-01-05 12:47:25 +01:00
key pfkey: fix warning 2011-03-01 22:51:52 -08:00
l2tp ipv4: Create and use route lookup helpers. 2011-03-12 15:08:42 -08:00
lapb
llc llc: avoid skb_clone() if there is only one handler 2011-02-28 12:28:50 -08:00
mac80211 mac80211: fix NULL pointer dereference in ieee80211_key_alloc() 2011-03-28 15:42:02 -04:00
netfilter netfilter: ipset: fix checking the type revision at create command 2011-03-20 15:35:01 +01:00
netlabel netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms 2011-03-03 10:55:40 -08:00
netlink Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-03-03 21:27:42 -08:00
netrom
packet af_packet: struct socket declared/assigned but unused 2011-03-07 15:51:13 -08:00
phonet Phonet: fix aligned-mode pipe socket buffer header reserve 2011-03-15 14:55:49 -07:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
rfkill kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
rose ROSE: AX25: finding routes simplification 2011-02-14 13:33:49 -08:00
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
sched ipv4: Remove flowi from struct rtable. 2011-03-04 21:55:31 -08:00
sctp ipv6: Convert to use flowi6 where applicable. 2011-03-12 15:08:54 -08:00
sunrpc Merge branch 'nfs-for-2.6.39' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6 2011-03-17 17:40:00 -07:00
tipc tipc: delete extra semicolon blocking node deletion 2011-03-14 12:21:12 -04:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
wanrouter net: cleanup unused macros in net directory 2011-01-19 23:20:04 -08:00
wimax
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem 2011-03-15 14:16:48 -04:00
x25 x25: remove the BKL 2011-03-05 10:55:45 +01:00
xfrm xfrm: Refcount destination entry on xfrm_lookup 2011-03-16 12:55:36 -07:00
compat.c
Kconfig net: RPS: Enable hardware acceleration of RFS 2011-01-24 14:53:01 -08:00
Makefile net: Enter net/ipv6/ even if CONFIG_IPV6=n 2011-03-07 12:50:52 -08:00
nonet.c
socket.c ethtool: Compat handling for struct ethtool_rxnfc 2011-03-18 15:13:11 -07:00
sysctl_net.c
TUNABLE