> 304 if (pairwise) > 305 key = rcu_dereference(sta->ptk[key_idx]); > 306 else if (key_idx < NUM_DEFAULT_KEYS) > 307 key = rcu_dereference(sta->gtk[key_idx]); > >key_idx is a number between 0 and 5. >NUM_DEFAULT_KEYS is 4. >->ptk has 4 elements. >->gtk has 6 elements. > >I looked but I didn't see that "pairwise" implied that key_idx is less than 4. >These are set in nl80211_get_key(). Hi Dan, 1. ptk - I think you are right here - need to verify that key_idx doesn't exceed sta->ptk array boundaries. I'll prepare the fix 2. gtk - frankly I'm not sure about key_idx < NUM_DEFAULT_KEYS. I understand why it's here: not to return management keys, but I don't see a reason why not to do it... In any case I'll prepare the fix for this case too Max -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
