* [PATCH] wifi: mac80211_hwsim: drop short frames
@ 2023-08-15 16:16 Johannes Berg
2023-08-15 18:20 ` Jeff Johnson
0 siblings, 1 reply; 3+ messages in thread
From: Johannes Berg @ 2023-08-15 16:16 UTC (permalink / raw)
To: linux-wireless; +Cc: Johannes Berg, syzbot+b2645b5bf1512b81fa22
From: Johannes Berg <johannes.berg@intel.com>
Frames that don't even have addr1 are clearly not valid,
drop those early in the netlink/wmediumd path here.
Reported-by: syzbot+b2645b5bf1512b81fa22@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
drivers/net/wireless/virtual/mac80211_hwsim.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
index f446fd0e8cd0..8f1e4420ed1e 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
@@ -5626,14 +5626,15 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
frame_data_len = nla_len(info->attrs[HWSIM_ATTR_FRAME]);
frame_data = (void *)nla_data(info->attrs[HWSIM_ATTR_FRAME]);
+ if (frame_data_len < offsetofend(typeof(*hdr), addr1) ||
+ frame_data_len > IEEE80211_MAX_DATA_LEN)
+ goto err;
+
/* Allocate new skb here */
skb = alloc_skb(frame_data_len, GFP_KERNEL);
if (skb == NULL)
goto err;
- if (frame_data_len > IEEE80211_MAX_DATA_LEN)
- goto err;
-
/* Copy the data */
skb_put_data(skb, frame_data, frame_data_len);
--
2.41.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] wifi: mac80211_hwsim: drop short frames
2023-08-15 16:16 [PATCH] wifi: mac80211_hwsim: drop short frames Johannes Berg
@ 2023-08-15 18:20 ` Jeff Johnson
2023-08-15 19:25 ` Johannes Berg
0 siblings, 1 reply; 3+ messages in thread
From: Jeff Johnson @ 2023-08-15 18:20 UTC (permalink / raw)
To: Johannes Berg, linux-wireless; +Cc: Johannes Berg, syzbot+b2645b5bf1512b81fa22
On 8/15/2023 9:16 AM, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@intel.com>
>
> Frames that don't even have addr1 are clearly not valid,
> drop those early in the netlink/wmediumd path here.
>
> Reported-by: syzbot+b2645b5bf1512b81fa22@syzkaller.appspotmail.com
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> ---
> drivers/net/wireless/virtual/mac80211_hwsim.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
> index f446fd0e8cd0..8f1e4420ed1e 100644
> --- a/drivers/net/wireless/virtual/mac80211_hwsim.c
> +++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
> @@ -5626,14 +5626,15 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
> frame_data_len = nla_len(info->attrs[HWSIM_ATTR_FRAME]);
> frame_data = (void *)nla_data(info->attrs[HWSIM_ATTR_FRAME]);
>
> + if (frame_data_len < offsetofend(typeof(*hdr), addr1) ||
curious why addr1. if the frame ends after addr1 then don't you have a
problem in mac80211_hwsim_rx() when it passes hdr->addr2 to
ieee80211_find_sta_by_link_addrs()?
> + frame_data_len > IEEE80211_MAX_DATA_LEN)
> + goto err;
> +
> /* Allocate new skb here */
> skb = alloc_skb(frame_data_len, GFP_KERNEL);
> if (skb == NULL)
> goto err;
>
> - if (frame_data_len > IEEE80211_MAX_DATA_LEN)
> - goto err;
> -
> /* Copy the data */
> skb_put_data(skb, frame_data, frame_data_len);
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] wifi: mac80211_hwsim: drop short frames
2023-08-15 18:20 ` Jeff Johnson
@ 2023-08-15 19:25 ` Johannes Berg
0 siblings, 0 replies; 3+ messages in thread
From: Johannes Berg @ 2023-08-15 19:25 UTC (permalink / raw)
To: Jeff Johnson, linux-wireless; +Cc: syzbot+b2645b5bf1512b81fa22
On Tue, 2023-08-15 at 11:20 -0700, Jeff Johnson wrote:
> On 8/15/2023 9:16 AM, Johannes Berg wrote:
> > From: Johannes Berg <johannes.berg@intel.com>
> >
> > Frames that don't even have addr1 are clearly not valid,
> > drop those early in the netlink/wmediumd path here.
> >
> > Reported-by: syzbot+b2645b5bf1512b81fa22@syzkaller.appspotmail.com
> > Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> > ---
> > drivers/net/wireless/virtual/mac80211_hwsim.c | 7 ++++---
> > 1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
> > index f446fd0e8cd0..8f1e4420ed1e 100644
> > --- a/drivers/net/wireless/virtual/mac80211_hwsim.c
> > +++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
> > @@ -5626,14 +5626,15 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
> > frame_data_len = nla_len(info->attrs[HWSIM_ATTR_FRAME]);
> > frame_data = (void *)nla_data(info->attrs[HWSIM_ATTR_FRAME]);
> >
> > + if (frame_data_len < offsetofend(typeof(*hdr), addr1) ||
>
> curious why addr1.
>
I figured that was the shortest legal 802.11 frame, e.g. an ACK frame.
> if the frame ends after addr1 then don't you have a
> problem in mac80211_hwsim_rx() when it passes hdr->addr2 to
> ieee80211_find_sta_by_link_addrs()?
But of course you're right about that, so we should just make sure we
have at least the full struct ieee80211_hdr_3addr here, I guess.
johannes
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-15 19:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-15 16:16 [PATCH] wifi: mac80211_hwsim: drop short frames Johannes Berg
2023-08-15 18:20 ` Jeff Johnson
2023-08-15 19:25 ` Johannes Berg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.