mac80211: add length check in ieee80211_is_robust_mgmt_frame()
A few places weren't checking that the frame passed to the function actually has enough data even though the function clearly documents it must have a payload byte. Make this safer by changing the function to take an skb and checking the length inside. The old version is preserved for now as the rtl* drivers use it and don't have a correct skb. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
Johannes Berg
parent
ae811e21df
commit
d8ca16db6b
8 changed files with 28 additions and 19 deletions
|
|
@ -452,7 +452,7 @@ bool rtl88ee_rx_query_desc(struct ieee80211_hw *hw,
|
||||||
/* During testing, hdr was NULL */
|
/* During testing, hdr was NULL */
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
|
if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||||
(ieee80211_has_protected(hdr->frame_control)))
|
(ieee80211_has_protected(hdr->frame_control)))
|
||||||
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
||||||
else
|
else
|
||||||
|
|
|
||||||
|
|
@ -393,7 +393,7 @@ bool rtl92ce_rx_query_desc(struct ieee80211_hw *hw,
|
||||||
/* In testing, hdr was NULL here */
|
/* In testing, hdr was NULL here */
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
|
if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||||
(ieee80211_has_protected(hdr->frame_control)))
|
(ieee80211_has_protected(hdr->frame_control)))
|
||||||
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
||||||
else
|
else
|
||||||
|
|
|
||||||
|
|
@ -310,7 +310,7 @@ bool rtl92se_rx_query_desc(struct ieee80211_hw *hw, struct rtl_stats *stats,
|
||||||
/* during testing, hdr was NULL here */
|
/* during testing, hdr was NULL here */
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
|
if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||||
(ieee80211_has_protected(hdr->frame_control)))
|
(ieee80211_has_protected(hdr->frame_control)))
|
||||||
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
||||||
else
|
else
|
||||||
|
|
|
||||||
|
|
@ -334,7 +334,7 @@ bool rtl8723ae_rx_query_desc(struct ieee80211_hw *hw,
|
||||||
/* during testing, hdr could be NULL here */
|
/* during testing, hdr could be NULL here */
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
|
if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||||
(ieee80211_has_protected(hdr->frame_control)))
|
(ieee80211_has_protected(hdr->frame_control)))
|
||||||
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
||||||
else
|
else
|
||||||
|
|
|
||||||
|
|
@ -2192,10 +2192,10 @@ static inline u8 *ieee80211_get_DA(struct ieee80211_hdr *hdr)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
|
* _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
|
||||||
* @hdr: the frame (buffer must include at least the first octet of payload)
|
* @hdr: the frame (buffer must include at least the first octet of payload)
|
||||||
*/
|
*/
|
||||||
static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
|
static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
|
||||||
{
|
{
|
||||||
if (ieee80211_is_disassoc(hdr->frame_control) ||
|
if (ieee80211_is_disassoc(hdr->frame_control) ||
|
||||||
ieee80211_is_deauth(hdr->frame_control))
|
ieee80211_is_deauth(hdr->frame_control))
|
||||||
|
|
@ -2223,6 +2223,17 @@ static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame
|
||||||
|
* @skb: the skb containing the frame, length will be checked
|
||||||
|
*/
|
||||||
|
static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
if (skb->len < 25)
|
||||||
|
return false;
|
||||||
|
return _ieee80211_is_robust_mgmt_frame((void *)skb->data);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ieee80211_is_public_action - check if frame is a public action frame
|
* ieee80211_is_public_action - check if frame is a public action frame
|
||||||
* @hdr: the frame
|
* @hdr: the frame
|
||||||
|
|
|
||||||
|
|
@ -599,10 +599,10 @@ static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
|
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
|
||||||
|
|
||||||
if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
|
if (is_multicast_ether_addr(hdr->addr1))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
return ieee80211_is_robust_mgmt_frame(hdr);
|
return ieee80211_is_robust_mgmt_frame(skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -610,10 +610,10 @@ static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
|
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
|
||||||
|
|
||||||
if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
|
if (!is_multicast_ether_addr(hdr->addr1))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
return ieee80211_is_robust_mgmt_frame(hdr);
|
return ieee80211_is_robust_mgmt_frame(skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -626,7 +626,7 @@ static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
|
||||||
if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
|
if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
|
if (!ieee80211_is_robust_mgmt_frame(skb))
|
||||||
return -1; /* not a robust management frame */
|
return -1; /* not a robust management frame */
|
||||||
|
|
||||||
mmie = (struct ieee80211_mmie *)
|
mmie = (struct ieee80211_mmie *)
|
||||||
|
|
@ -1845,8 +1845,7 @@ static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
|
||||||
* having configured keys.
|
* having configured keys.
|
||||||
*/
|
*/
|
||||||
if (unlikely(ieee80211_is_action(fc) && !rx->key &&
|
if (unlikely(ieee80211_is_action(fc) && !rx->key &&
|
||||||
ieee80211_is_robust_mgmt_frame(
|
ieee80211_is_robust_mgmt_frame(rx->skb)))
|
||||||
(struct ieee80211_hdr *) rx->skb->data)))
|
|
||||||
return -EACCES;
|
return -EACCES;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -452,8 +452,7 @@ static int ieee80211_use_mfp(__le16 fc, struct sta_info *sta,
|
||||||
if (sta == NULL || !test_sta_flag(sta, WLAN_STA_MFP))
|
if (sta == NULL || !test_sta_flag(sta, WLAN_STA_MFP))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *)
|
if (!ieee80211_is_robust_mgmt_frame(skb))
|
||||||
skb->data))
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
|
|
@ -567,7 +566,7 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
|
||||||
tx->key = key;
|
tx->key = key;
|
||||||
else if (ieee80211_is_mgmt(hdr->frame_control) &&
|
else if (ieee80211_is_mgmt(hdr->frame_control) &&
|
||||||
is_multicast_ether_addr(hdr->addr1) &&
|
is_multicast_ether_addr(hdr->addr1) &&
|
||||||
ieee80211_is_robust_mgmt_frame(hdr) &&
|
ieee80211_is_robust_mgmt_frame(tx->skb) &&
|
||||||
(key = rcu_dereference(tx->sdata->default_mgmt_key)))
|
(key = rcu_dereference(tx->sdata->default_mgmt_key)))
|
||||||
tx->key = key;
|
tx->key = key;
|
||||||
else if (is_multicast_ether_addr(hdr->addr1) &&
|
else if (is_multicast_ether_addr(hdr->addr1) &&
|
||||||
|
|
@ -582,12 +581,12 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
|
||||||
tx->key = NULL;
|
tx->key = NULL;
|
||||||
else if (tx->skb->protocol == tx->sdata->control_port_protocol)
|
else if (tx->skb->protocol == tx->sdata->control_port_protocol)
|
||||||
tx->key = NULL;
|
tx->key = NULL;
|
||||||
else if (ieee80211_is_robust_mgmt_frame(hdr) &&
|
else if (ieee80211_is_robust_mgmt_frame(tx->skb) &&
|
||||||
!(ieee80211_is_action(hdr->frame_control) &&
|
!(ieee80211_is_action(hdr->frame_control) &&
|
||||||
tx->sta && test_sta_flag(tx->sta, WLAN_STA_MFP)))
|
tx->sta && test_sta_flag(tx->sta, WLAN_STA_MFP)))
|
||||||
tx->key = NULL;
|
tx->key = NULL;
|
||||||
else if (ieee80211_is_mgmt(hdr->frame_control) &&
|
else if (ieee80211_is_mgmt(hdr->frame_control) &&
|
||||||
!ieee80211_is_robust_mgmt_frame(hdr))
|
!ieee80211_is_robust_mgmt_frame(tx->skb))
|
||||||
tx->key = NULL;
|
tx->key = NULL;
|
||||||
else {
|
else {
|
||||||
I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted);
|
I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted);
|
||||||
|
|
|
||||||
|
|
@ -494,7 +494,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
|
||||||
hdrlen = ieee80211_hdrlen(hdr->frame_control);
|
hdrlen = ieee80211_hdrlen(hdr->frame_control);
|
||||||
|
|
||||||
if (!ieee80211_is_data(hdr->frame_control) &&
|
if (!ieee80211_is_data(hdr->frame_control) &&
|
||||||
!ieee80211_is_robust_mgmt_frame(hdr))
|
!ieee80211_is_robust_mgmt_frame(skb))
|
||||||
return RX_CONTINUE;
|
return RX_CONTINUE;
|
||||||
|
|
||||||
data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -
|
data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue