On Wed, Dec 04, 2013 at 01:07:29PM +0000, Stepanov, Max wrote: > > 304 if (pairwise) > > 305 key = rcu_dereference(sta->ptk[key_idx]); > > 306 else if (key_idx < NUM_DEFAULT_KEYS) > > 307 key = rcu_dereference(sta->gtk[key_idx]); > > > >key_idx is a number between 0 and 5. > >NUM_DEFAULT_KEYS is 4. > >->ptk has 4 elements. > >->gtk has 6 elements. > > > >I looked but I didn't see that "pairwise" implied that key_idx is less than 4. > >These are set in nl80211_get_key(). > > Hi Dan, > > 1. ptk - I think you are right here - need to verify that key_idx doesn't exceed sta->ptk array boundaries. I'll prepare the fix > 2. gtk - frankly I'm not sure about key_idx < NUM_DEFAULT_KEYS. I understand why it's here: not to return management keys, but I don't see a reason why not to do it... In any case I'll prepare the fix for this case too It worries me that we are doing #2 without being sure... I have no idea about this code, I'm just doing static analysis without a deep understanding at all. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
