[1/1] wireless: mac80211: Avoid using uninitialized stack data

Commit Message

Jes Sorensen Dec. 10, 2014, 7:14 p.m. UTC

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Avoid case where we would access uninitialized stack data if a driver
advertises HT support without 40MHz channel support.

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 net/mac80211/mlme.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Johannes Berg Dec. 11, 2014, 8:14 a.m. UTC | #1

On Wed, 2014-12-10 at 14:14 -0500, Jes.Sorensen@redhat.com wrote:
> From: Jes Sorensen <Jes.Sorensen@redhat.com>
> 
> Avoid case where we would access uninitialized stack data if a driver
> advertises HT support without 40MHz channel support.

>  		ret = IEEE80211_STA_DISABLE_40MHZ;
> +		vht_chandef = *chandef;

I think we can and should disable VHT in this case, since VHT requires
40 and 80 MHz support.

johannes

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Johannes Berg Dec. 12, 2014, 11:03 a.m. UTC | #2

On Wed, 2014-12-10 at 14:14 -0500, Jes.Sorensen@redhat.com wrote:
> From: Jes Sorensen <Jes.Sorensen@redhat.com>
> 
> Avoid case where we would access uninitialized stack data if a driver
> advertises HT support without 40MHz channel support.

I've fixed the commit message (it's actually in the check for the *AP*,
not the driver!)

Also, this is complicated. We originally had the DISABLE_VHT, but then
found APs that were doing it wrong - see commit f3000e1b43f1 ("mac80211:
fix broken use of VHT/20Mhz with some APs"). That fix introduced the bug
here, going back now to the DISABLE_VHT as I'd suggested would break the
fix again ... I'm thus taking this version to just put the right data on
the stack, with the correct Fixes/Cc stable tags.

johannes


--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Jes Sorensen Dec. 12, 2014, 2:02 p.m. UTC | #3

Johannes Berg <johannes@sipsolutions.net> writes:
> On Wed, 2014-12-10 at 14:14 -0500, Jes.Sorensen@redhat.com wrote:
>> From: Jes Sorensen <Jes.Sorensen@redhat.com>
>> 
>> Avoid case where we would access uninitialized stack data if a driver
>> advertises HT support without 40MHz channel support.
>
> I've fixed the commit message (it's actually in the check for the *AP*,
> not the driver!)
>
> Also, this is complicated. We originally had the DISABLE_VHT, but then
> found APs that were doing it wrong - see commit f3000e1b43f1 ("mac80211:
> fix broken use of VHT/20Mhz with some APs"). That fix introduced the bug
> here, going back now to the DISABLE_VHT as I'd suggested would break the
> fix again ... I'm thus taking this version to just put the right data on
> the stack, with the correct Fixes/Cc stable tags.

Either patch works for me, so I'm all good! Thanks for fixing this up!

Cheers,
Jes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 93af0f1..da1f639 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -174,6 +174,7 @@  ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
 	if (!(ht_cap->cap_info &
 	      cpu_to_le16(IEEE80211_HT_CAP_SUP_WIDTH_20_40))) {
 		ret = IEEE80211_STA_DISABLE_40MHZ;
+		vht_chandef = *chandef;
 		goto out;
 	}