Message ID | 20230815212800.d849938fdc9f.I1efbeef082c3f7094037882f213202d760848eb7@changeid (mailing list archive) |
---|---|
State | Accepted |
Delegated to: | Johannes Berg |
Headers | show |
Series | [v2] wifi: mac80211_hwsim: drop short frames | expand |
On 8/15/2023 12:28 PM, Johannes Berg wrote: > From: Johannes Berg <johannes.berg@intel.com> > > While technically some control frames like ACK are shorter and > end after Address 1, such frames shouldn't be forwarded through > wmediumd or similar userspace, so require the full 3-address > header to avoid accessing invalid memory if shorter frames are > passed in. > > Reported-by: syzbot+b2645b5bf1512b81fa22@syzkaller.appspotmail.com > Signed-off-by: Johannes Berg <johannes.berg@intel.com> Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com> > --- > drivers/net/wireless/virtual/mac80211_hwsim.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c > index f446fd0e8cd0..dd516cec4197 100644 > --- a/drivers/net/wireless/virtual/mac80211_hwsim.c > +++ b/drivers/net/wireless/virtual/mac80211_hwsim.c > @@ -5626,14 +5626,15 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, > frame_data_len = nla_len(info->attrs[HWSIM_ATTR_FRAME]); > frame_data = (void *)nla_data(info->attrs[HWSIM_ATTR_FRAME]); > > + if (frame_data_len < sizeof(struct ieee80211_hdr_3addr) || > + frame_data_len > IEEE80211_MAX_DATA_LEN) > + goto err; > + > /* Allocate new skb here */ > skb = alloc_skb(frame_data_len, GFP_KERNEL); > if (skb == NULL) > goto err; > > - if (frame_data_len > IEEE80211_MAX_DATA_LEN) > - goto err; > - > /* Copy the data */ > skb_put_data(skb, frame_data, frame_data_len); >
diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c index f446fd0e8cd0..dd516cec4197 100644 --- a/drivers/net/wireless/virtual/mac80211_hwsim.c +++ b/drivers/net/wireless/virtual/mac80211_hwsim.c @@ -5626,14 +5626,15 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, frame_data_len = nla_len(info->attrs[HWSIM_ATTR_FRAME]); frame_data = (void *)nla_data(info->attrs[HWSIM_ATTR_FRAME]); + if (frame_data_len < sizeof(struct ieee80211_hdr_3addr) || + frame_data_len > IEEE80211_MAX_DATA_LEN) + goto err; + /* Allocate new skb here */ skb = alloc_skb(frame_data_len, GFP_KERNEL); if (skb == NULL) goto err; - if (frame_data_len > IEEE80211_MAX_DATA_LEN) - goto err; - /* Copy the data */ skb_put_data(skb, frame_data, frame_data_len);