mac80211: add length check in ieee80211_is_robust_mgmt_frame()
A few places weren't checking that the frame passed to the function actually has enough data even though the function clearly documents it must have a payload byte. Make this safer by changing the function to take an skb and checking the length inside. The old version is preserved for now as the rtl* drivers use it and don't have a correct skb. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
Johannes Berg
parent
ae811e21df
commit
d8ca16db6b
8 changed files with 28 additions and 19 deletions
|
|
@ -452,7 +452,7 @@ bool rtl88ee_rx_query_desc(struct ieee80211_hw *hw,
|
|||
/* During testing, hdr was NULL */
|
||||
return false;
|
||||
}
|
||||
if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||
if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||
(ieee80211_has_protected(hdr->frame_control)))
|
||||
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
||||
else
|
||||
|
|
|
|||
|
|
@ -393,7 +393,7 @@ bool rtl92ce_rx_query_desc(struct ieee80211_hw *hw,
|
|||
/* In testing, hdr was NULL here */
|
||||
return false;
|
||||
}
|
||||
if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||
if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||
(ieee80211_has_protected(hdr->frame_control)))
|
||||
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
||||
else
|
||||
|
|
|
|||
|
|
@ -310,7 +310,7 @@ bool rtl92se_rx_query_desc(struct ieee80211_hw *hw, struct rtl_stats *stats,
|
|||
/* during testing, hdr was NULL here */
|
||||
return false;
|
||||
}
|
||||
if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||
if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||
(ieee80211_has_protected(hdr->frame_control)))
|
||||
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
||||
else
|
||||
|
|
|
|||
|
|
@ -334,7 +334,7 @@ bool rtl8723ae_rx_query_desc(struct ieee80211_hw *hw,
|
|||
/* during testing, hdr could be NULL here */
|
||||
return false;
|
||||
}
|
||||
if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||
if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
|
||||
(ieee80211_has_protected(hdr->frame_control)))
|
||||
rx_status->flag &= ~RX_FLAG_DECRYPTED;
|
||||
else
|
||||
|
|
|
|||
|
|
@ -2192,10 +2192,10 @@ static inline u8 *ieee80211_get_DA(struct ieee80211_hdr *hdr)
|
|||
}
|
||||
|
||||
/**
|
||||
* ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
|
||||
* _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
|
||||
* @hdr: the frame (buffer must include at least the first octet of payload)
|
||||
*/
|
||||
static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
|
||||
static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
|
||||
{
|
||||
if (ieee80211_is_disassoc(hdr->frame_control) ||
|
||||
ieee80211_is_deauth(hdr->frame_control))
|
||||
|
|
@ -2223,6 +2223,17 @@ static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
|
|||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame
|
||||
* @skb: the skb containing the frame, length will be checked
|
||||
*/
|
||||
static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb)
|
||||
{
|
||||
if (skb->len < 25)
|
||||
return false;
|
||||
return _ieee80211_is_robust_mgmt_frame((void *)skb->data);
|
||||
}
|
||||
|
||||
/**
|
||||
* ieee80211_is_public_action - check if frame is a public action frame
|
||||
* @hdr: the frame
|
||||
|
|
|
|||
|
|
@ -599,10 +599,10 @@ static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
|
|||
{
|
||||
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
|
||||
|
||||
if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
|
||||
if (is_multicast_ether_addr(hdr->addr1))
|
||||
return 0;
|
||||
|
||||
return ieee80211_is_robust_mgmt_frame(hdr);
|
||||
return ieee80211_is_robust_mgmt_frame(skb);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -610,10 +610,10 @@ static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
|
|||
{
|
||||
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
|
||||
|
||||
if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
|
||||
if (!is_multicast_ether_addr(hdr->addr1))
|
||||
return 0;
|
||||
|
||||
return ieee80211_is_robust_mgmt_frame(hdr);
|
||||
return ieee80211_is_robust_mgmt_frame(skb);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -626,7 +626,7 @@ static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
|
|||
if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
|
||||
return -1;
|
||||
|
||||
if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
|
||||
if (!ieee80211_is_robust_mgmt_frame(skb))
|
||||
return -1; /* not a robust management frame */
|
||||
|
||||
mmie = (struct ieee80211_mmie *)
|
||||
|
|
@ -1845,8 +1845,7 @@ static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
|
|||
* having configured keys.
|
||||
*/
|
||||
if (unlikely(ieee80211_is_action(fc) && !rx->key &&
|
||||
ieee80211_is_robust_mgmt_frame(
|
||||
(struct ieee80211_hdr *) rx->skb->data)))
|
||||
ieee80211_is_robust_mgmt_frame(rx->skb)))
|
||||
return -EACCES;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -452,8 +452,7 @@ static int ieee80211_use_mfp(__le16 fc, struct sta_info *sta,
|
|||
if (sta == NULL || !test_sta_flag(sta, WLAN_STA_MFP))
|
||||
return 0;
|
||||
|
||||
if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *)
|
||||
skb->data))
|
||||
if (!ieee80211_is_robust_mgmt_frame(skb))
|
||||
return 0;
|
||||
|
||||
return 1;
|
||||
|
|
@ -567,7 +566,7 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
|
|||
tx->key = key;
|
||||
else if (ieee80211_is_mgmt(hdr->frame_control) &&
|
||||
is_multicast_ether_addr(hdr->addr1) &&
|
||||
ieee80211_is_robust_mgmt_frame(hdr) &&
|
||||
ieee80211_is_robust_mgmt_frame(tx->skb) &&
|
||||
(key = rcu_dereference(tx->sdata->default_mgmt_key)))
|
||||
tx->key = key;
|
||||
else if (is_multicast_ether_addr(hdr->addr1) &&
|
||||
|
|
@ -582,12 +581,12 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
|
|||
tx->key = NULL;
|
||||
else if (tx->skb->protocol == tx->sdata->control_port_protocol)
|
||||
tx->key = NULL;
|
||||
else if (ieee80211_is_robust_mgmt_frame(hdr) &&
|
||||
else if (ieee80211_is_robust_mgmt_frame(tx->skb) &&
|
||||
!(ieee80211_is_action(hdr->frame_control) &&
|
||||
tx->sta && test_sta_flag(tx->sta, WLAN_STA_MFP)))
|
||||
tx->key = NULL;
|
||||
else if (ieee80211_is_mgmt(hdr->frame_control) &&
|
||||
!ieee80211_is_robust_mgmt_frame(hdr))
|
||||
!ieee80211_is_robust_mgmt_frame(tx->skb))
|
||||
tx->key = NULL;
|
||||
else {
|
||||
I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted);
|
||||
|
|
|
|||
|
|
@ -494,7 +494,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
|
|||
hdrlen = ieee80211_hdrlen(hdr->frame_control);
|
||||
|
||||
if (!ieee80211_is_data(hdr->frame_control) &&
|
||||
!ieee80211_is_robust_mgmt_frame(hdr))
|
||||
!ieee80211_is_robust_mgmt_frame(skb))
|
||||
return RX_CONTINUE;
|
||||
|
||||
data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -
|
||||
|
|
|
|||
Loading…
Reference in a new issue