From: Pavel Roskin <proski@gnu.org>
To: linux-wireless <linux-wireless@vger.kernel.org>
Subject: ieee80211_tx_status() on injected packets
Date: Fri, 10 Jul 2009 18:32:39 -0400 [thread overview]
Message-ID: <1247265159.6399.31.camel@mj> (raw)
Hello!
I've been testing mac80211 with kmemcheck. By injecting specially
crafted packets, I could trigger a warning in ieee80211_tx_status() on
this line:
frag = le16_to_cpu(hdr->seq_ctrl) & IEEE80211_SCTL_FRAG;
It turns out hdr->seq_ctrl is beyond the end of the skb. Adding printk
confirms it:
hdr=0xffff88012aa04868, &hdr->seq_ctrl=0xffff88012aa0487e,
skb->data=0xffff88012aa04868, skb->data + skb->len=0xffff88012aa0487c
The packets that produce the warning have the radiotap header length
increased by 10.
Here's the annotated dump of the packet:
/* Original radiotap header, but the length should be 0e, not 18 */
00 00 18 00 03 00 00 00 00 02 6c 09 a0 00
/* mac80211 treats this as part of the radiotap header */
08 03 00 00 01 0c cc 00 00 00
/* frame control */
00 11
/* duration */
6b 39
/* addr1 */
40 19 11 04 28 00
/* addr2 */
00 00 10 00 00 00
/* addr3 - incomplete */
00 00 00 00
/* sequence control - beyond the skb end */
I'm using rt73usb to inject. ieee80211_tx_status() is scheduled by
ieee80211_tx_status_irqsafe(), which is called in rt2x00dev.c.
If we allow to inject malformed packets, we shouldn't assume them to be
valid 802.11 packets unless we can verify it. And even then, maybe it's
better to bypass ieee80211_tx_status() for injected packets, as it can
influence statistics and rate control algorithms in unpredictable ways.
--
Regards,
Pavel Roskin
next reply other threads:[~2009-07-10 22:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-10 22:32 Pavel Roskin [this message]
2009-07-10 22:56 ` ieee80211_tx_status() on injected packets Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1247265159.6399.31.camel@mj \
--to=proski@gnu.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox