wifi: cfg80211: wext: fix IGTK key ID off-by-one

[ Upstream commit c8d7f21ead727485ebf965e2b4d42d4a4f0840f6 ]

The IGTK key ID must be 4 or 5, but the code checks against
key ID + 1, so must check against 5/6 rather than 4/5. Fix
that.

Reported-by: Jouni Malinen <j@w1.fi>
Fixes: 08645126dd24 ("cfg80211: implement wext key handling")
Link: https://patch.msgid.link/20260209181220.362205-2-johannes@sipsolutions.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index 1241fda78a68c4746f2e6ae6f8de5ebc9bca8fb8..680500fa57cfdf3b8350c8eabb4381859310e5a1 100644 (file)
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -684,7 +684,7 @@ static int cfg80211_wext_siwencodeext(struct net_device *dev,
 
        idx = erq->flags & IW_ENCODE_INDEX;
        if (cipher == WLAN_CIPHER_SUITE_AES_CMAC) {
-               if (idx < 4 || idx > 5) {
+               if (idx < 5 || idx > 6) {
                        idx = wdev->wext.default_mgmt_key;
                        if (idx < 0)
                                return -EINVAL;