wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the
driver for SAE/OWE offload cases") SSID based PMKSA del commands.
brcmfmac is not prepared and tries to dereference the NULL bssid and
pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based
updates so copy the SSID.

Fixes: a96202acaea4 ("wifi: brcmfmac: cfg80211: Add support for PMKID_V3 operations")
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Janne Grunau <j@jannau.net>
Reviewed-by: Neal Gompa <neal@gompa.dev>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20240803-brcmfmac_pmksa_del_ssid-v1-1-4e85f19135e1@jannau.net

authored by

Janne Grunau and committed by

Kalle Valo 2 years ago 2ad4e1ad f1cb9d5a

+10 -3

1 changed file

expand all

drivers

net

wireless

broadcom

brcm80211

brcmfmac

cfg80211.c

+10 -3

drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

··· 4320 4320 /* Single PMK operation */ 4321 4321 pmk_op->count = cpu_to_le16(1); 4322 4322 length += sizeof(struct brcmf_pmksa_v3); 4323 - memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN); 4324 - memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN); 4325 - pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN; 4323 + if (pmksa->bssid) 4324 + memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN); 4325 + if (pmksa->pmkid) { 4326 + memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN); 4327 + pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN; 4328 + } 4329 + if (pmksa->ssid && pmksa->ssid_len) { 4330 + memcpy(pmk_op->pmk[0].ssid.SSID, pmksa->ssid, pmksa->ssid_len); 4331 + pmk_op->pmk[0].ssid.SSID_len = pmksa->ssid_len; 4332 + } 4326 4333 pmk_op->pmk[0].time_left = cpu_to_le32(alive ? BRCMF_PMKSA_NO_EXPIRY : 0); 4327 4334 } 4328 4335