Commit 2ad4e1ad authored by Janne Grunau's avatar Janne Grunau Committed by Kalle Valo

wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion

wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the
driver for SAE/OWE offload cases") SSID based PMKSA del commands.
brcmfmac is not prepared and tries to dereference the NULL bssid and
pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based
updates so copy the SSID.

Fixes: a96202ac ("wifi: brcmfmac: cfg80211: Add support for PMKID_V3 operations")
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: default avatarJanne Grunau <j@jannau.net>
Reviewed-by: default avatarNeal Gompa <neal@gompa.dev>
Acked-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20240803-brcmfmac_pmksa_del_ssid-v1-1-4e85f19135e1@jannau.net
parent f1cb9d5a
......@@ -4320,9 +4320,16 @@ brcmf_pmksa_v3_op(struct brcmf_if *ifp, struct cfg80211_pmksa *pmksa,
/* Single PMK operation */
pmk_op->count = cpu_to_le16(1);
length += sizeof(struct brcmf_pmksa_v3);
if (pmksa->bssid)
memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN);
if (pmksa->pmkid) {
memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN);
pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN;
}
if (pmksa->ssid && pmksa->ssid_len) {
memcpy(pmk_op->pmk[0].ssid.SSID, pmksa->ssid, pmksa->ssid_len);
pmk_op->pmk[0].ssid.SSID_len = pmksa->ssid_len;
}
pmk_op->pmk[0].time_left = cpu_to_le32(alive ? BRCMF_PMKSA_NO_EXPIRY : 0);
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment