From patchwork Mon May 15 04:41:55 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rajkumar Manoharan X-Patchwork-Id: 9726055 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id F104260231 for ; Mon, 15 May 2017 04:42:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E52A727C0B for ; Mon, 15 May 2017 04:42:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D71C627FA3; Mon, 15 May 2017 04:42:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5419027C0B for ; Mon, 15 May 2017 04:42:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754760AbdEOEma (ORCPT ); Mon, 15 May 2017 00:42:30 -0400 Received: from wolverine02.qualcomm.com ([199.106.114.251]:43315 "EHLO wolverine02.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751005AbdEOEm3 (ORCPT ); Mon, 15 May 2017 00:42:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1494823349; x=1526359349; h=from:to:cc:subject:date:message-id:mime-version; bh=nbdoIETPYWIDp5qSAw2AS51AmMljxp9ez/oUiOT75BM=; b=WV7Ye2EW0TyC+T3zDS05Rq/oFUhYddioGmOOp1uCiGrZMvEm6rDxFnAm 6yqKAcmCrkDcff359sdJJz9Jr1DuFUJBcVPt6cguAyz2GYxZZwM523GBF X9qcnPf45KLvtXtovF+4mELJ9xuRWDDDMKr7vEGUm22tiXxYNaUtt9VS1 o=; X-IronPort-AV: E=Sophos;i="5.38,343,1491289200"; d="scan'208";a="381503394" Received: from ironmsg01-lv.qualcomm.com ([10.47.202.180]) by wolverine02.qualcomm.com with ESMTP; 14 May 2017 21:42:28 -0700 X-IronPort-AV: E=McAfee;i="5800,7501,8529"; a="36802174" X-MGA-submission: =?us-ascii?q?MDHNyx4rrDNlQrYKMHNqQX17iL+94NhwLYT09F?= =?us-ascii?q?C9ZfrLSeEzQ/m7snZGyBomN7Tm+6K9m1YEJZjd6NgFr6kueSYisnEReO?= =?us-ascii?q?rukadchFN9xBO8vsZ4+wczARQSB1j0ruBvh+kd2YMFIhcAKjOYyq6WoW?= =?us-ascii?q?Vb?= Received: from nalasexr01h.na.qualcomm.com ([10.49.56.54]) by ironmsg01-lv.qualcomm.com with ESMTP/TLS/RC4-SHA; 14 May 2017 21:41:58 -0700 Received: from qcmail1.qualcomm.com (10.80.80.8) by NALASEXR01H.na.qualcomm.com (10.49.56.54) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sun, 14 May 2017 21:41:56 -0700 Received: by qcmail1.qualcomm.com (sSMTP sendmail emulation); Sun, 14 May 2017 21:41:56 -0700 From: Rajkumar Manoharan To: CC: , , Rajkumar Manoharan Subject: [PATCH v2] mac80211: strictly check mesh address extension mode Date: Sun, 14 May 2017 21:41:55 -0700 Message-ID: <1494823315-26575-1-git-send-email-rmanohar@qti.qualcomm.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: NASANEXM01F.na.qualcomm.com (10.85.0.32) To NALASEXR01H.na.qualcomm.com (10.49.56.54) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Mesh forwarding path checks for address extension mode to fetch appropriate proxied address and MPP address. Existing condition that looks for 6 address format is not strict enough so that frames with improper values are processed and invalid entries are added into MPP table. Fix that by adding a stricter check before processing the packet. Per IEEE Std 802.11s-2011 spec. Table 7-6g1 lists address extension mode 0x3 as reserved one. And also Table Table 9-13 does not specify 0x3 as valid address field. Signed-off-by: Rajkumar Manoharan --- v2: updated commit log and handled other AE cases net/mac80211/rx.c | 3 ++- net/wireless/util.c | 10 ++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 35f4c7d7a500..1f75280ba26c 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2492,7 +2492,8 @@ static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc) if (is_multicast_ether_addr(hdr->addr1)) { mpp_addr = hdr->addr3; proxied_addr = mesh_hdr->eaddr1; - } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) { + } else if ((mesh_hdr->flags & MESH_FLAGS_AE) == + MESH_FLAGS_AE_A5_A6) { /* has_a4 already checked in ieee80211_rx_mesh_check */ mpp_addr = hdr->addr4; proxied_addr = mesh_hdr->eaddr2; diff --git a/net/wireless/util.c b/net/wireless/util.c index 7198373e2920..4992f1025c9d 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -454,6 +454,8 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, if (iftype == NL80211_IFTYPE_MESH_POINT) skb_copy_bits(skb, hdrlen, &mesh_flags, 1); + mesh_flags &= MESH_FLAGS_AE; + switch (hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) { case cpu_to_le16(IEEE80211_FCTL_TODS): @@ -469,9 +471,9 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, iftype != NL80211_IFTYPE_STATION)) return -1; if (iftype == NL80211_IFTYPE_MESH_POINT) { - if (mesh_flags & MESH_FLAGS_AE_A4) + if (mesh_flags == MESH_FLAGS_AE_A4) return -1; - if (mesh_flags & MESH_FLAGS_AE_A5_A6) { + if (mesh_flags == MESH_FLAGS_AE_A5_A6) { skb_copy_bits(skb, hdrlen + offsetof(struct ieee80211s_hdr, eaddr1), tmp.h_dest, 2 * ETH_ALEN); @@ -487,9 +489,9 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, ether_addr_equal(tmp.h_source, addr))) return -1; if (iftype == NL80211_IFTYPE_MESH_POINT) { - if (mesh_flags & MESH_FLAGS_AE_A5_A6) + if (mesh_flags == MESH_FLAGS_AE_A5_A6) return -1; - if (mesh_flags & MESH_FLAGS_AE_A4) + if (mesh_flags == MESH_FLAGS_AE_A4) skb_copy_bits(skb, hdrlen + offsetof(struct ieee80211s_hdr, eaddr1), tmp.h_source, ETH_ALEN);