Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0549e6ec authored by Varsha Mishra's avatar Varsha Mishra Committed by Madan Koyyalamudi
Browse files

qcacmn: Drop fragmented multicast/broadcast frames 

CVE-2020-26145
Broadcast and multicast frames should never be fragmented. Several devices
process broadcasted fragments as normal unfragmented frames. Moreover, some
devices accept plaintext fragmented broadcast or multicast frames in
protected Wi-Fi networks. An adversary can abuse this to inject packets
by encapsulating them in a fragmented plaintext broadcast frame. Even
unicast packets can be encapsulated in broadcast Wi-Fi frames and hence
be injected.

Change-Id: I3181a05e177cf9374a14edb748bc5001d058e0f3
CRs-Fixed: 2893212
parent c71f4e63

dp/wifi3.0/dp_rx_defrag.c

+12 −1
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2017-2020 The Linux Foundation. All rights reserved.

 * Copyright (c) 2017-2021 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -932,6 +932,17 @@ dp_rx_construct_fraglist(struct dp_peer *peer, int tid, qdf_nbuf_t head, 
		prev_pn128[0] = cur_pn128[0];

		prev_pn128[1] = cur_pn128[1];



		/*

		 * Broadcast and multicast frames should never be fragmented.

		 * Iterating through all msdus and dropping fragments if even

		 * one of them has mcast/bcast destination address.

		 */

		if (hal_rx_msdu_is_wlan_mcast(msdu)) {

			QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,

				  "Dropping multicast/broadcast fragments");

			return QDF_STATUS_E_FAILURE;

		}



		dp_rx_frag_pull_hdr(msdu, hdrsize);

		len += qdf_nbuf_len(msdu);

		msdu = qdf_nbuf_next(msdu);