diff mbox series

[06/11] wifi: mac80211: Fix elements scratch buffer allocation

Message ID 20230504134511.828474-7-gregory.greenman@intel.com (mailing list archive)
State Accepted
Delegated to: Johannes Berg
Headers show
Series cfg80211/mac80211 patches from our internal tree 2023-05-04 | expand

Commit Message

Greenman, Gregory May 4, 2023, 1:45 p.m. UTC 
From: Ilan Peer <ilan.peer@intel.com>

Current code allocated a scratch buffer that is the length
of the elements. However this is not sufficient as the
defragmentation can happen in the following places concurrently:

- MBSSID element defragmentation
- EHT ML element defragmentation
- EHT ML element sub element defragmentation

Fix the length and the scratch buffer allocation to allow
up to 3 defragmentations.

While at it remove the 'scratch_len' field from
'struct ieee80211_elems_parse_params' as it is not
really needed or used.

Fixes: ff05d4b45dd8 ("wifi: mac80211: fix MBSSID parsing use-after-free")
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
---
 net/mac80211/ieee80211_i.h | 3 ---
 net/mac80211/util.c        | 2 +-
 2 files changed, 1 insertion(+), 4 deletions(-)
diff mbox series

Patch

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index b0372e76f373..e67c5c754be1 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -2269,8 +2269,6 @@  static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
  *	(or re-association) response frame if this is given
  * @from_ap: frame is received from an AP (currently used only
  *	for EHT capabilities parsing)
- * @scratch_len: if non zero, specifies the requested length of the scratch
- *      buffer; otherwise, 'len' is used.
  */
 struct ieee80211_elems_parse_params {
 	const u8 *start;
@@ -2281,7 +2279,6 @@  struct ieee80211_elems_parse_params {
 	struct cfg80211_bss *bss;
 	int link_id;
 	bool from_ap;
-	size_t scratch_len;
 };
 
 struct ieee802_11_elems *
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index ead4b095cc4d..b0c035cf13da 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1604,7 +1604,7 @@  ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
 	const struct element *non_inherit = NULL;
 	u8 *nontransmitted_profile;
 	int nontransmitted_profile_len = 0;
-	size_t scratch_len = params->scratch_len ?: 3 * params->len;
+	size_t scratch_len = 3 * params->len;
 
 	elems = kzalloc(sizeof(*elems) + scratch_len, GFP_ATOMIC);
 	if (!elems)