cfg80211: Fix validation of AKM suites

Incorrect variable was used in validating the akm_suites array from NL80211_ATTR_AKM_SUITES. In addition, there was no explicit validation of the array length (we only have room for NL80211_MAX_NR_AKM_SUITES). This can result in a buffer write overflow for stack variables with arbitrary data from user space. The nl80211 commands using the affected functionality require GENL_ADMIN_PERM, so this is only exposed to admin users. Cc: stable@kernel.org Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>

Author: jmalinen

net/wireless/nl80211.c

@@ -4113,9 +4113,12 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
 if (len % sizeof(u32))
 return -EINVAL;
 
+if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
+return -EINVAL;
+
 memcpy(settings->akm_suites, data, len);
 
-for (i = 0; i < settings->n_ciphers_pairwise; i++)
+for (i = 0; i < settings->n_akm_suites; i++)
 if (!nl80211_valid_akm_suite(settings->akm_suites[i]))
 return -EINVAL;
 }