From: "John W. Linville" <linville@tuxdriver.com>
To: Mathy Vanhoef <vanhoefm@gmail.com>
Cc: Pau Koning <paukoning@gmail.com>,
Oleksij Rempel <linux@rempel-privat.de>,
linux-wireless@vger.kernel.org, jouni@qca.qualcomm.com,
vthiagar@qca.qualcomm.com, senthilb@qca.qualcomm.com,
ath9k-devel@qualcomm.com
Subject: Re: [PATCH] ath9k_htc: properly set MAC address and BSSID mask
Date: Fri, 6 Dec 2013 11:25:56 -0500 [thread overview]
Message-ID: <20131206162555.GD13285@tuxdriver.com> (raw)
In-Reply-To: <52972749.70200@gmail.com>
Can we get some comments on this patch? It is attempting to address
a CVE.
John
On Thu, Nov 28, 2013 at 12:21:45PM +0100, Mathy Vanhoef wrote:
> Third time's the charm?
> --
> From: "Mathy Vanhoef" <vanhoefm@gmail.com>
>
> Pick the MAC address of the first virtual interface as the new hardware MAC
> address. Set BSSID mask according to this MAC address. This fixes CVE-2013-4579.
>
> Signed-off-by: Mathy Vanhoef <vanhoefm@gmail.com>
> ---
> diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
> index d441045..84359c3 100644
> --- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
> +++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
> @@ -147,21 +147,26 @@ static void ath9k_htc_bssid_iter(void *data, u8 *mac, struct ieee80211_vif *vif)
> struct ath9k_vif_iter_data *iter_data = data;
> int i;
>
> - for (i = 0; i < ETH_ALEN; i++)
> - iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
> + if (iter_data->hw_macaddr != NULL) {
> + for (i = 0; i < ETH_ALEN; i++)
> + iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
> + } else {
> + iter_data->hw_macaddr = mac;
> + }
> }
>
> -static void ath9k_htc_set_bssid_mask(struct ath9k_htc_priv *priv,
> +static void ath9k_htc_set_mac_bssid_mask(struct ath9k_htc_priv *priv,
> struct ieee80211_vif *vif)
> {
> struct ath_common *common = ath9k_hw_common(priv->ah);
> struct ath9k_vif_iter_data iter_data;
>
> /*
> - * Use the hardware MAC address as reference, the hardware uses it
> - * together with the BSSID mask when matching addresses.
> + * Pick the MAC address of the first interface as the new hardware
> + * MAC address. The hardware will use it together with the BSSID mask
> + * when matching addresses.
> */
> - iter_data.hw_macaddr = common->macaddr;
> + iter_data.hw_macaddr = NULL;
> memset(&iter_data.mask, 0xff, ETH_ALEN);
>
> if (vif)
> @@ -173,6 +178,10 @@ static void ath9k_htc_set_bssid_mask(struct ath9k_htc_priv *priv,
> ath9k_htc_bssid_iter, &iter_data);
>
> memcpy(common->bssidmask, iter_data.mask, ETH_ALEN);
> +
> + if (iter_data.hw_macaddr)
> + memcpy(common->macaddr, iter_data.hw_macaddr, ETH_ALEN);
> +
> ath_hw_setbssidmask(common);
> }
>
> @@ -1083,7 +1092,7 @@ static int ath9k_htc_add_interface(struct ieee80211_hw *hw,
> goto out;
> }
>
> - ath9k_htc_set_bssid_mask(priv, vif);
> + ath9k_htc_set_mac_bssid_mask(priv, vif);
>
> priv->vif_slot |= (1 << avp->index);
> priv->nvifs++;
> @@ -1148,7 +1157,7 @@ static void ath9k_htc_remove_interface(struct ieee80211_hw *hw,
>
> ath9k_htc_set_opmode(priv);
>
> - ath9k_htc_set_bssid_mask(priv, vif);
> + ath9k_htc_set_mac_bssid_mask(priv, vif);
>
> /*
> * Stop ANI only if there are no associated station interfaces.
> diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
> index b6aad69..99ab0aa 100644
> --- a/drivers/net/wireless/ath/ath9k/main.c
> +++ b/drivers/net/wireless/ath/ath9k/main.c
> @@ -885,8 +885,9 @@ void ath9k_calculate_iter_data(struct ieee80211_hw *hw,
> struct ath_common *common = ath9k_hw_common(ah);
>
> /*
> - * Use the hardware MAC address as reference, the hardware uses it
> - * together with the BSSID mask when matching addresses.
> + * Pick the MAC address of the first interface as the new hardware
> + * MAC address. The hardware will use it together with the BSSID mask
> + * when matching addresses.
> */
> memset(iter_data, 0, sizeof(*iter_data));
> memset(&iter_data->mask, 0xff, ETH_ALEN);
>
>
>
>
--
John W. Linville Someday the world will need a hero, and you
linville@tuxdriver.com might be all we have. Be ready.
next prev parent reply other threads:[~2013-12-06 16:30 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-26 18:13 [PATCH] ath9k_htc: properly set MAC address and BSSID mask Mathy Vanhoef
2013-11-26 20:44 ` Oleksij Rempel
2013-11-27 13:10 ` Mathy Vanhoef
2013-11-27 13:58 ` Pau Koning
2013-11-28 11:21 ` Mathy Vanhoef
2013-12-06 16:25 ` John W. Linville [this message]
2013-12-06 16:29 ` John W. Linville
2013-12-06 20:30 ` Mathy
2013-12-07 16:49 ` Oleksij Rempel
2013-12-08 12:50 ` Ben Greear
2013-12-08 18:09 ` Mathy
2013-12-09 14:06 ` Oleksij Rempel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131206162555.GD13285@tuxdriver.com \
--to=linville@tuxdriver.com \
--cc=ath9k-devel@qualcomm.com \
--cc=jouni@qca.qualcomm.com \
--cc=linux-wireless@vger.kernel.org \
--cc=linux@rempel-privat.de \
--cc=paukoning@gmail.com \
--cc=senthilb@qca.qualcomm.com \
--cc=vanhoefm@gmail.com \
--cc=vthiagar@qca.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.