From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Takashi Iwai <tiwai@suse.de>,
Brian Norris <briannorris@chromium.org>,
Kalle Valo <kvalo@codeaurora.org>
Subject: [PATCH 4.4 18/40] mwifiex: Dont abort on small, spec-compliant vendor IEs
Date: Thu, 18 Jul 2019 12:02:14 +0900 [thread overview]
Message-ID: <20190718030046.010086928@linuxfoundation.org> (raw)
In-Reply-To: <20190718030039.676518610@linuxfoundation.org>
From: Brian Norris <briannorris@chromium.org>
commit 63d7ef36103d26f20325a921ecc96a3288560146 upstream.
Per the 802.11 specification, vendor IEs are (at minimum) only required
to contain an OUI. A type field is also included in ieee80211.h (struct
ieee80211_vendor_ie) but doesn't appear in the specification. The
remaining fields (subtype, version) are a convention used in WMM
headers.
Thus, we should not reject vendor-specific IEs that have only the
minimum length (3 bytes) -- we should skip over them (since we only want
to match longer IEs, that match either WMM or WPA formats). We can
reject elements that don't have the minimum-required 3 byte OUI.
While we're at it, move the non-standard subtype and version fields into
the WMM structs, to avoid this confusion in the future about generic
"vendor header" attributes.
Fixes: 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor element")
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mwifiex/fw.h | 12 +++++++++---
drivers/net/wireless/mwifiex/scan.c | 18 +++++++++++-------
drivers/net/wireless/mwifiex/sta_ioctl.c | 4 ++--
drivers/net/wireless/mwifiex/wmm.c | 2 +-
4 files changed, 23 insertions(+), 13 deletions(-)
--- a/drivers/net/wireless/mwifiex/fw.h
+++ b/drivers/net/wireless/mwifiex/fw.h
@@ -1589,9 +1589,10 @@ struct mwifiex_ie_types_wmm_queue_status
struct ieee_types_vendor_header {
u8 element_id;
u8 len;
- u8 oui[4]; /* 0~2: oui, 3: oui_type */
- u8 oui_subtype;
- u8 version;
+ struct {
+ u8 oui[3];
+ u8 oui_type;
+ } __packed oui;
} __packed;
struct ieee_types_wmm_parameter {
@@ -1605,6 +1606,9 @@ struct ieee_types_wmm_parameter {
* Version [1]
*/
struct ieee_types_vendor_header vend_hdr;
+ u8 oui_subtype;
+ u8 version;
+
u8 qos_info_bitmap;
u8 reserved;
struct ieee_types_wmm_ac_parameters ac_params[IEEE80211_NUM_ACS];
@@ -1622,6 +1626,8 @@ struct ieee_types_wmm_info {
* Version [1]
*/
struct ieee_types_vendor_header vend_hdr;
+ u8 oui_subtype;
+ u8 version;
u8 qos_info_bitmap;
} __packed;
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1332,21 +1332,25 @@ int mwifiex_update_bss_desc_with_ie(stru
break;
case WLAN_EID_VENDOR_SPECIFIC:
- if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
- return -EINVAL;
-
vendor_ie = (struct ieee_types_vendor_specific *)
current_ptr;
- if (!memcmp
- (vendor_ie->vend_hdr.oui, wpa_oui,
- sizeof(wpa_oui))) {
+ /* 802.11 requires at least 3-byte OUI. */
+ if (element_len < sizeof(vendor_ie->vend_hdr.oui.oui))
+ return -EINVAL;
+
+ /* Not long enough for a match? Skip it. */
+ if (element_len < sizeof(wpa_oui))
+ break;
+
+ if (!memcmp(&vendor_ie->vend_hdr.oui, wpa_oui,
+ sizeof(wpa_oui))) {
bss_entry->bcn_wpa_ie =
(struct ieee_types_vendor_specific *)
current_ptr;
bss_entry->wpa_offset = (u16)
(current_ptr - bss_entry->beacon_buf);
- } else if (!memcmp(vendor_ie->vend_hdr.oui, wmm_oui,
+ } else if (!memcmp(&vendor_ie->vend_hdr.oui, wmm_oui,
sizeof(wmm_oui))) {
if (total_ie_len ==
sizeof(struct ieee_types_wmm_parameter) ||
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -1305,7 +1305,7 @@ mwifiex_set_gen_ie_helper(struct mwifiex
pvendor_ie = (struct ieee_types_vendor_header *) ie_data_ptr;
/* Test to see if it is a WPA IE, if not, then it is a gen IE */
if (((pvendor_ie->element_id == WLAN_EID_VENDOR_SPECIFIC) &&
- (!memcmp(pvendor_ie->oui, wpa_oui, sizeof(wpa_oui)))) ||
+ (!memcmp(&pvendor_ie->oui, wpa_oui, sizeof(wpa_oui)))) ||
(pvendor_ie->element_id == WLAN_EID_RSN)) {
/* IE is a WPA/WPA2 IE so call set_wpa function */
@@ -1330,7 +1330,7 @@ mwifiex_set_gen_ie_helper(struct mwifiex
*/
pvendor_ie = (struct ieee_types_vendor_header *) ie_data_ptr;
if ((pvendor_ie->element_id == WLAN_EID_VENDOR_SPECIFIC) &&
- (!memcmp(pvendor_ie->oui, wps_oui, sizeof(wps_oui)))) {
+ (!memcmp(&pvendor_ie->oui, wps_oui, sizeof(wps_oui)))) {
priv->wps.session_enable = true;
mwifiex_dbg(priv->adapter, INFO,
"info: WPS Session Enabled.\n");
--- a/drivers/net/wireless/mwifiex/wmm.c
+++ b/drivers/net/wireless/mwifiex/wmm.c
@@ -240,7 +240,7 @@ mwifiex_wmm_setup_queue_priorities(struc
mwifiex_dbg(priv->adapter, INFO,
"info: WMM Parameter IE: version=%d,\t"
"qos_info Parameter Set Count=%d, Reserved=%#x\n",
- wmm_ie->vend_hdr.version, wmm_ie->qos_info_bitmap &
+ wmm_ie->version, wmm_ie->qos_info_bitmap &
IEEE80211_WMM_IE_AP_QOSINFO_PARAM_SET_CNT_MASK,
wmm_ie->reserved);
next prev parent reply other threads:[~2019-07-18 3:14 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-18 3:01 [PATCH 4.4 00/40] 4.4.186-stable review Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.4 01/40] Input: elantech - enable middle button support on 2 ThinkPads Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.4 02/40] samples, bpf: fix to change the buffer size for read() Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.4 03/40] mac80211: mesh: fix RCU warning Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 04/40] mwifiex: Fix possible buffer overflows at parsing bss descriptor Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 05/40] dt-bindings: can: mcp251x: add mcp25625 support Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 06/40] can: mcp251x: add support for mcp25625 Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 07/40] Input: imx_keypad - make sure keyboard can always wake up system Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 08/40] ARM: davinci: da850-evm: call regulator_has_full_constraints() Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 09/40] ARM: davinci: da8xx: specify dma_coherent_mask for lcdc Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 10/40] md: fix for divide error in status_resync Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 11/40] bnx2x: Check if transceiver implements DDM before access Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 12/40] udf: Fix incorrect final NOT_ALLOCATED (hole) extent length Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 13/40] x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 14/40] x86/tls: Fix possible spectre-v1 in do_get_thread_area() Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 15/40] mwifiex: Abort at too short BSS descriptor element Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 16/40] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 17/40] fscrypt: dont set policy for a dead directory Greg Kroah-Hartman
2019-07-18 3:02 ` Greg Kroah-Hartman [this message]
2019-07-18 3:02 ` [PATCH 4.4 19/40] USB: serial: ftdi_sio: add ID for isodebug v1 Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 20/40] USB: serial: option: add support for GosunCn ME3630 RNDIS mode Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 21/40] usb: gadget: ether: Fix race between gether_disconnect and rx_submit Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 22/40] usb: renesas_usbhs: add a workaround for a race condition of workqueue Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 23/40] staging: comedi: dt282x: fix a null pointer deref on interrupt Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 24/40] staging: comedi: amplc_pci230: fix " Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 25/40] carl9170: fix misuse of device driver API Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 26/40] VMCI: Fix integer overflow in VMCI handle arrays Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 27/40] MIPS: Remove superfluous check for __linux__ Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 28/40] e1000e: start network tx queue only when link is up Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 29/40] perf/core: Fix perf_sample_regs_user() mm check Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 30/40] ARM: omap2: remove incorrect __init annotation Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 31/40] be2net: fix link failure after ethtool offline test Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 32/40] ppp: mppe: Add softdep to arc4 Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 33/40] sis900: fix TX completion Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 34/40] dm verity: use message limit for data block corruption message Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 35/40] kvm: x86: avoid warning on repeated KVM_SET_TSS_ADDR Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 36/40] ARC: hide unused function unw_hdr_alloc Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 37/40] s390: fix stfle zero padding Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 38/40] s390/qdio: (re-)initialize tiqdio list entries Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 39/40] s390/qdio: dont touch the dsci in tiqdio_add_input_queues() Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 40/40] KVM: x86: protect KVM_CREATE_PIT/KVM_CREATE_PIT2 with kvm->lock Greg Kroah-Hartman
2019-07-18 7:33 ` [PATCH 4.4 00/40] 4.4.186-stable review kernelci.org bot
2019-07-18 9:19 ` Jon Hunter
2019-07-18 9:19 ` Jon Hunter
2019-07-18 15:26 ` Naresh Kamboju
2019-07-18 19:47 ` Guenter Roeck
2019-07-18 20:56 ` Kelsey Skunberg
2019-07-19 4:40 ` Bharath Vedartham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190718030046.010086928@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=briannorris@chromium.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.