From: greearb@candelatech.com
To: linux-wireless@vger.kernel.org
Cc: johannes@sipsolutions.net, Ben Greear <greearb@candelatech.com>
Subject: [PATCH v3 4/4] mac80211-hwsim: add length checks before allocating skb.
Date: Thu, 23 Mar 2017 16:26:18 -0700 [thread overview]
Message-ID: <1490311578-18926-4-git-send-email-greearb@candelatech.com> (raw)
In-Reply-To: <1490311578-18926-1-git-send-email-greearb@candelatech.com>
From: Ben Greear <greearb@candelatech.com>
Modify the receive-from-user-space logic to do length
and 'is-down' checks before trying to allocate an skb.
And, if we are going to ignore the pkt due to radio idle,
then do not return an error code to user-space. User-space
cannot reliably know exactly when a radio is idle or not.
Signed-off-by: Ben Greear <greearb@candelatech.com>
---
drivers/net/wireless/mac80211_hwsim.c | 41 +++++++++++++++++++----------------
1 file changed, 22 insertions(+), 19 deletions(-)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 84dcddf..6207d4a 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3074,6 +3074,7 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
int frame_data_len;
void *frame_data;
struct sk_buff *skb = NULL;
+ int rv = -EINVAL;
if (!info->attrs[HWSIM_ATTR_ADDR_RECEIVER] ||
!info->attrs[HWSIM_ATTR_FRAME] ||
@@ -3088,25 +3089,6 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
frame_data_len = nla_len(info->attrs[HWSIM_ATTR_FRAME]);
frame_data = (void *)nla_data(info->attrs[HWSIM_ATTR_FRAME]);
- /* Allocate new skb here */
- skb = alloc_skb(frame_data_len, GFP_KERNEL);
- if (skb == NULL) {
- if (hwsim_ratelimit())
- printk(KERN_DEBUG " hwsim rx-nl: skb alloc failed, len: %d\n",
- frame_data_len);
- goto out;
- }
-
- if (frame_data_len > IEEE80211_MAX_DATA_LEN) {
- if (hwsim_ratelimit())
- printk(KERN_DEBUG " hwsim rx-nl: data lenth error: %d max: %d\n",
- frame_data_len, IEEE80211_MAX_DATA_LEN);
- goto out;
- }
-
- /* Copy the data */
- memcpy(skb_put(skb, frame_data_len), frame_data, frame_data_len);
-
data2 = get_hwsim_data_ref_from_addr(dst);
if (!data2) {
@@ -3135,9 +3117,30 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
if (((cnt++ & 0x3FF) == 0x3FF) && hwsim_ratelimit())
printk(KERN_DEBUG " hwsim rx-nl: radio %pM idle: %d or not started: %d cnt: %d\n",
dst, data2->idle, !data2->started, cnt);
+ rv = -ENETDOWN;
goto out;
}
+ if (frame_data_len > IEEE80211_MAX_DATA_LEN) {
+ if (hwsim_ratelimit())
+ printk(KERN_DEBUG " hwsim rx-nl: data lenth error: %d max: %d\n",
+ frame_data_len, IEEE80211_MAX_DATA_LEN);
+ goto out;
+ }
+
+
+ /* Allocate new skb here */
+ skb = alloc_skb(frame_data_len, GFP_KERNEL);
+ if (skb == NULL) {
+ if (hwsim_ratelimit())
+ printk(KERN_DEBUG " hwsim rx-nl: skb alloc failed, len: %d\n",
+ frame_data_len);
+ goto out;
+ }
+
+ /* Copy the data */
+ memcpy(skb_put(skb, frame_data_len), frame_data, frame_data_len);
+
/* A frame is received from user space */
memset(&rx_status, 0, sizeof(rx_status));
if (info->attrs[HWSIM_ATTR_FREQ]) {
--
2.4.11
next prev parent reply other threads:[~2017-03-23 23:26 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-23 23:26 [PATCH v3 1/4] mac80211-hwsim: notify user-space about channel change greearb
2017-03-23 23:26 ` [PATCH v3 2/4] mac80211-hwsim: remove dmesg spam about get-survey greearb
2017-03-29 8:46 ` Johannes Berg
2017-03-23 23:26 ` [PATCH v3 3/4] mac80211-hwsim: add rate-limited debugging for rx-netlink greearb
2017-03-29 8:46 ` Johannes Berg
2017-03-29 15:39 ` Ben Greear
2017-03-29 16:52 ` Johannes Berg
2017-03-23 23:26 ` greearb [this message]
2017-03-29 8:47 ` [PATCH v3 4/4] mac80211-hwsim: add length checks before allocating skb Johannes Berg
2017-03-29 8:42 ` [PATCH v3 1/4] mac80211-hwsim: notify user-space about channel change Johannes Berg
2017-03-29 15:35 ` Ben Greear
2017-03-29 16:51 ` Johannes Berg
2017-03-29 17:11 ` Ben Greear
2017-03-31 11:48 ` Johannes Berg
2017-03-31 13:33 ` Ben Greear
2017-04-18 9:58 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490311578-18926-4-git-send-email-greearb@candelatech.com \
--to=greearb@candelatech.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).