mac80211: bail out if cipher schemes are invalid

If any of the cipher schemes specified by the driver are invalid, bail
out and fail the registration rather than just warning.  Otherwise, we
might later crash when we try to use the invalid cipher scheme, e.g.
if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd
have an out-of-bounds access in RX validation.

Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support")
Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 1b9c82616606b8851b2da8a43b4f2c6ec0c5b49d..0331f3a3c40e0123a9fc6ed3fc7e9f5f08ad3952 100644 (file)
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1141,8 +1141,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        if (local->hw.wiphy->max_scan_ie_len)
                local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len;
 
-       WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
-                                        local->hw.n_cipher_schemes));
+       if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
+                                            local->hw.n_cipher_schemes))) {
+               result = -EINVAL;
+               goto fail_workqueue;
+       }
 
        result = ieee80211_init_cipher_suites(local);
        if (result < 0)