kpriv/linux-hardened
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux-hardened/net
History
Petr Štetiar 1f951a7f8b mac80211: fix NULL pointer dereference in ieee80211_key_alloc() 
The ieee80211_key struct can be kfree()d several times in the function, for
example if some of the key setup functions fails beforehand, but there's no
check if the struct is still valid before we call memcpy() and INIT_LIST_HEAD()
on it.  In some cases (like it was in my case), if there's missing aes-generic
module it could lead to the following kernel OOPS:

	Unable to handle kernel NULL pointer dereference at virtual address 0000018c
	....
	PC is at memcpy+0x80/0x29c
	...
	Backtrace:
	[<bf11c5e4>] (ieee80211_key_alloc+0x0/0x234 [mac80211]) from [<bf1148b4>] (ieee80211_add_key+0x70/0x12c [mac80211])
	[<bf114844>] (ieee80211_add_key+0x0/0x12c [mac80211]) from [<bf070cc0>] (__cfg80211_set_encryption+0x2a8/0x464 [cfg80211])

Signed-off-by: Petr Štetiar <ynezz@true.cz>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-03-28 15:42:02 -04:00
..
9p Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
802
8021q vlan: should take into account needed_headroom 2011-03-18 15:13:12 -07:00
appletalk appletalk: remove the BKL 2011-03-05 10:55:57 +01:00
atm ipv4: Create and use route lookup helpers. 2011-03-12 15:08:42 -08:00
ax25
batman-adv Merge branch 'batman-adv/next' of git://git.open-mesh.org/ecsv/linux-merge 2011-03-07 00:37:13 -08:00
bluetooth Bluetooth: Fix warning with hci_cmd_timer 2011-03-24 17:04:44 -03:00
bridge bridge: Reset IPCB when entering IP stack on NF_FORWARD 2011-03-18 15:13:12 -07:00
caif Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-02-08 17:19:01 -08:00
can
ceph libceph: fix msgr standby handling 2011-03-04 12:25:05 -08:00
core ethtool: __ethtool_set_sg: check for function pointer before using it 2011-03-18 15:13:10 -07:00
dcb net: dcbnl: Update copyright dates 2011-03-14 17:02:42 -07:00
dccp net: Put fl6_* macros to struct flowi6 and use them again. 2011-03-12 15:08:55 -08:00
decnet decnet: Convert to use flowidn where applicable. 2011-03-12 15:08:55 -08:00
dns_resolver DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] 2011-03-04 09:56:19 +11:00
dsa dsa/mv88e6060: support nonzero mii base address 2011-03-08 14:24:20 -08:00
econet econet: 4 byte infoleak to the network 2011-03-18 15:12:15 -07:00
ethernet
ieee802154
ipv4 netfilter: ipt_CLUSTERIP: fix buffer overflow 2011-03-20 15:42:52 +01:00
ipv6 netfilter: xtables: fix reentrancy 2011-03-20 15:40:06 +01:00
ipx ipx: remove the BKL 2011-03-05 10:55:58 +01:00
irda tty: now phase out the ioctl file pointer for good 2011-02-17 11:59:56 -08:00
iucv
key pfkey: fix warning 2011-03-01 22:51:52 -08:00
l2tp ipv4: Create and use route lookup helpers. 2011-03-12 15:08:42 -08:00
lapb
llc llc: avoid skb_clone() if there is only one handler 2011-02-28 12:28:50 -08:00
mac80211 mac80211: fix NULL pointer dereference in ieee80211_key_alloc() 2011-03-28 15:42:02 -04:00
netfilter netfilter: ipset: fix checking the type revision at create command 2011-03-20 15:35:01 +01:00
netlabel netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms 2011-03-03 10:55:40 -08:00
netlink Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-03-03 21:27:42 -08:00
netrom
packet af_packet: struct socket declared/assigned but unused 2011-03-07 15:51:13 -08:00
phonet Phonet: fix aligned-mode pipe socket buffer header reserve 2011-03-15 14:55:49 -07:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
rfkill
rose ROSE: AX25: finding routes simplification 2011-02-14 13:33:49 -08:00
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
sched ipv4: Remove flowi from struct rtable. 2011-03-04 21:55:31 -08:00
sctp ipv6: Convert to use flowi6 where applicable. 2011-03-12 15:08:54 -08:00
sunrpc Merge branch 'nfs-for-2.6.39' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6 2011-03-17 17:40:00 -07:00
tipc tipc: delete extra semicolon blocking node deletion 2011-03-14 12:21:12 -04:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
wanrouter
wimax
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem 2011-03-15 14:16:48 -04:00
x25 x25: remove the BKL 2011-03-05 10:55:45 +01:00
xfrm xfrm: Refcount destination entry on xfrm_lookup 2011-03-16 12:55:36 -07:00
compat.c
Kconfig
Makefile net: Enter net/ipv6/ even if CONFIG_IPV6=n 2011-03-07 12:50:52 -08:00
nonet.c
socket.c ethtool: Compat handling for struct ethtool_rxnfc 2011-03-18 15:13:11 -07:00
sysctl_net.c
TUNABLE