Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d8ca16db authored by Johannes Berg's avatar Johannes Berg
Browse files

mac80211: add length check in ieee80211_is_robust_mgmt_frame() 



A few places weren't checking that the frame passed to the
function actually has enough data even though the function
clearly documents it must have a payload byte. Make this
safer by changing the function to take an skb and checking
the length inside. The old version is preserved for now as
the rtl* drivers use it and don't have a correct skb.

Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent ae811e21

drivers/net/wireless/rtlwifi/rtl8188ee/trx.c

+1 −1
Original line number Diff line number Diff line
@@ -452,7 +452,7 @@ bool rtl88ee_rx_query_desc(struct ieee80211_hw *hw, 
			/* During testing, hdr was NULL */

			return false;

		}

		if ((ieee80211_is_robust_mgmt_frame(hdr)) &&

		if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&

		    (ieee80211_has_protected(hdr->frame_control)))

			rx_status->flag &= ~RX_FLAG_DECRYPTED;

		else

drivers/net/wireless/rtlwifi/rtl8192ce/trx.c

+1 −1
Original line number Diff line number Diff line
@@ -393,7 +393,7 @@ bool rtl92ce_rx_query_desc(struct ieee80211_hw *hw, 
			/* In testing, hdr was NULL here */

			return false;

		}

		if ((ieee80211_is_robust_mgmt_frame(hdr)) &&

		if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&

		    (ieee80211_has_protected(hdr->frame_control)))

			rx_status->flag &= ~RX_FLAG_DECRYPTED;

		else

drivers/net/wireless/rtlwifi/rtl8192se/trx.c

+1 −1
Original line number Diff line number Diff line
@@ -310,7 +310,7 @@ bool rtl92se_rx_query_desc(struct ieee80211_hw *hw, struct rtl_stats *stats, 
			/* during testing, hdr was NULL here */

			return false;

		}

		if ((ieee80211_is_robust_mgmt_frame(hdr)) &&

		if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&

			(ieee80211_has_protected(hdr->frame_control)))

			rx_status->flag &= ~RX_FLAG_DECRYPTED;

		else

drivers/net/wireless/rtlwifi/rtl8723ae/trx.c

+1 −1
Original line number Diff line number Diff line
@@ -334,7 +334,7 @@ bool rtl8723ae_rx_query_desc(struct ieee80211_hw *hw, 
			/* during testing, hdr could be NULL here */

			return false;

		}

		if ((ieee80211_is_robust_mgmt_frame(hdr)) &&

		if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&

			(ieee80211_has_protected(hdr->frame_control)))

			rx_status->flag &= ~RX_FLAG_DECRYPTED;

		else

include/linux/ieee80211.h

+13 −2
Original line number Diff line number Diff line
@@ -2192,10 +2192,10 @@ static inline u8 *ieee80211_get_DA(struct ieee80211_hdr *hdr) 
}



/**

 * ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame

 * _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame

 * @hdr: the frame (buffer must include at least the first octet of payload)

 */

static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)

static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)

{

	if (ieee80211_is_disassoc(hdr->frame_control) ||

	    ieee80211_is_deauth(hdr->frame_control))
@@ -2223,6 +2223,17 @@ static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr) 
	return false;

}



/**

 * ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame

 * @skb: the skb containing the frame, length will be checked

 */

static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb)

{

	if (skb->len < 25)

		return false;

	return _ieee80211_is_robust_mgmt_frame((void *)skb->data);

}



/**

 * ieee80211_is_public_action - check if frame is a public action frame

 * @hdr: the frame