From: "Jérôme Pouiller" <jerome.pouiller@silabs.com>
To: Dmitry Antipov <dmantipov@yandex.ru>
Cc: Kalle Valo <kvalo@kernel.org>, linux-wireless@vger.kernel.org
Subject: Re: [PATCH] [v2] wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()
Date: Mon, 11 Dec 2023 11:01:08 +0100 [thread overview]
Message-ID: <2306444.ElGaqSPkdT@pc-42> (raw)
In-Reply-To: <20231204171130.141394-1-dmantipov@yandex.ru>
On Monday 4 December 2023 18:11:28 CET Dmitry Antipov wrote:
> Since 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'
> should check the return value before examining skb data. So convert
> the latter to return an appropriate error code and propagate it to
> return from 'wfx_start_ap()' as well. Compile tested only.
>
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---
> v2: adjust branches according to maintainer's suggestions
> ---
> drivers/net/wireless/silabs/wfx/sta.c | 42 ++++++++++++++++-----------
> 1 file changed, 25 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/net/wireless/silabs/wfx/sta.c b/drivers/net/wireless/silabs/wfx/sta.c
> index 1b6c158457b4..537caf9d914a 100644
> --- a/drivers/net/wireless/silabs/wfx/sta.c
> +++ b/drivers/net/wireless/silabs/wfx/sta.c
> @@ -336,29 +336,38 @@ static int wfx_upload_ap_templates(struct wfx_vif *wvif)
> return 0;
> }
>
> -static void wfx_set_mfp_ap(struct wfx_vif *wvif)
> +static int wfx_set_mfp_ap(struct wfx_vif *wvif)
> {
> struct ieee80211_vif *vif = wvif_to_vif(wvif);
> struct sk_buff *skb = ieee80211_beacon_get(wvif->wdev->hw, vif, 0);
> const int ieoffset = offsetof(struct ieee80211_mgmt, u.beacon.variable);
> - const u16 *ptr = (u16 *)cfg80211_find_ie(WLAN_EID_RSN, skb->data + ieoffset,
> - skb->len - ieoffset);
> const int pairwise_cipher_suite_count_offset = 8 / sizeof(u16);
> const int pairwise_cipher_suite_size = 4 / sizeof(u16);
> const int akm_suite_size = 4 / sizeof(u16);
> + const u16 *ptr;
>
> - if (ptr) {
> - ptr += pairwise_cipher_suite_count_offset;
> - if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb)))
> - return;
> - ptr += 1 + pairwise_cipher_suite_size * *ptr;
> - if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb)))
> - return;
> - ptr += 1 + akm_suite_size * *ptr;
> - if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb)))
> - return;
> - wfx_hif_set_mfp(wvif, *ptr & BIT(7), *ptr & BIT(6));
> - }
> + if (unlikely(!skb))
> + return -ENOMEM;
> +
> + ptr = (u16 *)cfg80211_find_ie(WLAN_EID_RSN, skb->data + ieoffset,
> + skb->len - ieoffset);
> + if (unlikely(!ptr))
> + return -EINVAL;
> +
> + ptr += pairwise_cipher_suite_count_offset;
> + if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb)))
> + return -EINVAL;
> +
> + ptr += 1 + pairwise_cipher_suite_size * *ptr;
> + if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb)))
> + return -EINVAL;
> +
> + ptr += 1 + akm_suite_size * *ptr;
> + if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb)))
> + return -EINVAL;
> +
> + wfx_hif_set_mfp(wvif, *ptr & BIT(7), *ptr & BIT(6));
> + return 0;
> }
>
> int wfx_start_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> @@ -376,8 +385,7 @@ int wfx_start_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> ret = wfx_hif_start(wvif, &vif->bss_conf, wvif->channel);
> if (ret > 0)
> return -EIO;
> - wfx_set_mfp_ap(wvif);
> - return ret;
> + return wfx_set_mfp_ap(wvif);
> }
>
> void wfx_stop_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> --
> 2.43.0
>
>
Tested-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
Acked-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
For the record, I tested with hostapd and this configuration:
channel=1
ctrl_interface=/var/run/hostapd
driver=nl80211
ht_capab=[SHORT-GI-20]
hw_mode=g
ieee80211n=1
ieee80211w=2
interface=wlan0
rsn_pairwise=CCMP
ssid=rpi-jpo-slv1
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=password
--
Jérôme Pouiller
next prev parent reply other threads:[~2023-12-11 10:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-04 15:55 [PATCH] wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap() Dmitry Antipov
2023-12-04 16:10 ` Kalle Valo
2023-12-04 16:50 ` Jérôme Pouiller
2023-12-04 17:11 ` [PATCH] [v2] " Dmitry Antipov
2023-12-11 10:01 ` Jérôme Pouiller [this message]
2023-12-12 15:33 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2306444.ElGaqSPkdT@pc-42 \
--to=jerome.pouiller@silabs.com \
--cc=dmantipov@yandex.ru \
--cc=kvalo@kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.