From: Masashi Honma <masashi.honma@gmail.com>
To: linux-wireless@vger.kernel.org
Cc: johannes@sipsolutions.net, Masashi Honma <masashi.honma@gmail.com>
Subject: [PATCH 3/3] Fix PERR frame processing
Date: Sun, 10 May 2026 08:41:43 +0900 [thread overview]
Message-ID: <20260509234143.101237-3-masashi.honma@gmail.com> (raw)
In-Reply-To: <20260509234143.101237-1-masashi.honma@gmail.com>
There are no issues with the PERR processing itself; however, to maintain
consistency with the previous PREQ/PREP code modifications, I will create a new
mesh_path_parse_error_frame() function to separately implement the frame format
validation and the "not supported" check.
Assisted-by: Claude:Sonnet 4.6
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
---
include/linux/ieee80211-mesh.h | 38 ++++++++++++++++++++++++++++++++++
net/mac80211/mesh_hwmp.c | 11 ++++++++--
net/mac80211/parse.c | 9 ++++++--
3 files changed, 54 insertions(+), 4 deletions(-)
diff --git a/include/linux/ieee80211-mesh.h b/include/linux/ieee80211-mesh.h
index ddbf475c1cc8..1bca65e49309 100644
--- a/include/linux/ieee80211-mesh.h
+++ b/include/linux/ieee80211-mesh.h
@@ -61,6 +61,7 @@ struct ieee80211s_hdr {
#define PREP_IE_TARGET_SN(x) u32_field_get(x, 9, 0)
#define PERR_IE_TTL(x) (*(x))
+#define PERR_IE_NUMBER_OF_DST(x) (*(x + 1))
#define PERR_IE_TARGET_FLAGS(x) (*(x + 2))
#define PERR_IE_TARGET_ADDR(x) (x + 3)
#define PERR_IE_TARGET_SN(x) u32_field_get(x, 9, 0)
@@ -301,4 +302,41 @@ static inline bool ieee80211_mesh_prep_size_ok(const u8 *pos, u8 elen)
return true;
}
+/* IEEE Std 802.11-2016 9.4.2.115 PERR element */
+static inline bool ieee80211_mesh_perr_size_ok(const u8 *pos, u8 elen)
+{
+ u8 number_of_dst;
+ u8 needed;
+ const u8 *start;
+ int i;
+
+ number_of_dst = PERR_IE_NUMBER_OF_DST(pos);
+ if (number_of_dst < 1 || number_of_dst > 19)
+ return false;
+
+ start = pos;
+ needed = 1 /* Element TTL */ + 1 /* Number of Destinations */;
+ pos += 2;
+
+ for (i = 0; i < number_of_dst; i++) {
+ u8 dst_len;
+
+ if (pos - start >= elen)
+ return false;
+
+ dst_len = 1 /* Flags */ + 6 /* Destination Address */ +
+ 4 /* HWMP Sequence Number */ +
+ (AE_F_SET(pos) ? 6 : 0)
+ /* Destination External Address */ +
+ 2 /* Reason Code */;
+ needed += dst_len;
+ pos += dst_len;
+ }
+
+ if (elen != needed)
+ return false;
+
+ return true;
+}
+
#endif /* LINUX_IEEE80211_MESH_H */
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index c70cfc2d6299..d2295aa54bb4 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -902,6 +902,7 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
u32 path_metric;
struct sta_info *sta;
u8 target_count;
+ u8 number_of_dst;
/* need action_code */
if (len < IEEE80211_MIN_ACTION_SIZE(mesh_action))
@@ -952,9 +953,15 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
path_metric);
}
if (elems->perr) {
- if (elems->perr_len != 15)
- /* Right now we support only one destination per PERR */
+ /* Right now we support only one destination per PERR */
+ number_of_dst = PERR_IE_NUMBER_OF_DST(elems->perr);
+ if (number_of_dst != 1)
goto free;
+
+ /* Right now we do not support AE (Address Extension) */
+ if (PERR_IE_TARGET_FLAGS(elems->perr) & AE_F)
+ goto free;
+
hwmp_perr_frame_process(sdata, mgmt, elems->perr);
}
if (elems->rann)
diff --git a/net/mac80211/parse.c b/net/mac80211/parse.c
index bbd1e1bc77b4..d84e5e12ad24 100644
--- a/net/mac80211/parse.c
+++ b/net/mac80211/parse.c
@@ -565,8 +565,13 @@ _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
}
break;
case WLAN_EID_PERR:
- elems->perr = pos;
- elems->perr_len = elen;
+ if (ieee80211_mesh_perr_size_ok(pos, elen)) {
+ elems->perr = pos;
+ elems->perr_len = elen;
+ } else {
+ elem_parse_failed =
+ IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
+ }
break;
case WLAN_EID_RANN:
if (elen >= sizeof(struct ieee80211_rann_ie))
--
2.43.0
next prev parent reply other threads:[~2026-05-09 23:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8f0a2488540f4a65ea4d837a06225a27a10cc305.camel@sipsolutions.net>
2026-05-08 22:59 ` [PATCH 1/3] Fix overread in PREQ frame processing Masashi Honma
2026-05-08 22:59 ` [PATCH 2/3] Fix overread in PREP " Masashi Honma
2026-05-08 22:59 ` [PATCH 3/3] Fix PERR " Masashi Honma
2026-05-09 9:17 ` [PATCH 1/3] Fix overread in PREQ " Johannes Berg
2026-05-09 23:41 ` Masashi Honma
2026-05-09 23:41 ` [PATCH 2/3] Fix overread in PREP " Masashi Honma
2026-05-09 23:41 ` Masashi Honma [this message]
2026-05-11 7:47 ` [PATCH 1/3] Fix overread in PREQ " Johannes Berg
2026-05-11 8:58 ` Masashi Honma
2026-05-11 9:01 ` Johannes Berg
2026-05-11 22:25 ` Masashi Honma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260509234143.101237-3-masashi.honma@gmail.com \
--to=masashi.honma@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.