* [PATCH] mac80211_hwsim: Fix radiotap header for ACK frames
@ 2013-11-02 13:57 Jouni Malinen
2013-11-04 8:25 ` Johannes Berg
0 siblings, 1 reply; 2+ messages in thread
From: Jouni Malinen @ 2013-11-02 13:57 UTC (permalink / raw)
To: John W. Linville; +Cc: linux-wireless, Johannes Berg
The earlier addition of rt_tsft to struct hwsim_radiotap_hdr updated
only mac80211_hwsim_monitor_tx() to fill in the new field.
mac80211_hwsim_monitor_ack() did not set the rt_tsft field and as such,
leaked eight bytes of kernel memory to user space. In addition, the
resulting radiotap header is invalid since the field offsets do not
match. Fix these issues by defining a separate radiotap header structure
for the ACK frame case which does not use all the fields.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
drivers/net/wireless/mac80211_hwsim.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 2cd3f54..ea315a1 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -382,6 +382,14 @@ struct hwsim_radiotap_hdr {
__le16 rt_chbitmask;
} __packed;
+struct hwsim_radiotap_ack_hdr {
+ struct ieee80211_radiotap_header hdr;
+ u8 rt_flags;
+ u8 pad;
+ __le16 rt_channel;
+ __le16 rt_chbitmask;
+} __packed;
+
/* MAC80211_HWSIM netlinf family */
static struct genl_family hwsim_genl_family = {
.id = GENL_ID_GENERATE,
@@ -499,7 +507,7 @@ static void mac80211_hwsim_monitor_ack(struct ieee80211_channel *chan,
const u8 *addr)
{
struct sk_buff *skb;
- struct hwsim_radiotap_hdr *hdr;
+ struct hwsim_radiotap_ack_hdr *hdr;
u16 flags;
struct ieee80211_hdr *hdr11;
@@ -510,14 +518,14 @@ static void mac80211_hwsim_monitor_ack(struct ieee80211_channel *chan,
if (skb == NULL)
return;
- hdr = (struct hwsim_radiotap_hdr *) skb_put(skb, sizeof(*hdr));
+ hdr = (struct hwsim_radiotap_ack_hdr *) skb_put(skb, sizeof(*hdr));
hdr->hdr.it_version = PKTHDR_RADIOTAP_VERSION;
hdr->hdr.it_pad = 0;
hdr->hdr.it_len = cpu_to_le16(sizeof(*hdr));
hdr->hdr.it_present = cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) |
(1 << IEEE80211_RADIOTAP_CHANNEL));
hdr->rt_flags = 0;
- hdr->rt_rate = 0;
+ hdr->pad = 0;
hdr->rt_channel = cpu_to_le16(chan->center_freq);
flags = IEEE80211_CHAN_2GHZ;
hdr->rt_chbitmask = cpu_to_le16(flags);
--
1.7.9.5
--
Jouni Malinen PGP id EFC895FA
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] mac80211_hwsim: Fix radiotap header for ACK frames
2013-11-02 13:57 [PATCH] mac80211_hwsim: Fix radiotap header for ACK frames Jouni Malinen
@ 2013-11-04 8:25 ` Johannes Berg
0 siblings, 0 replies; 2+ messages in thread
From: Johannes Berg @ 2013-11-04 8:25 UTC (permalink / raw)
To: Jouni Malinen; +Cc: John W. Linville, linux-wireless
On Sat, 2013-11-02 at 15:57 +0200, Jouni Malinen wrote:
> The earlier addition of rt_tsft to struct hwsim_radiotap_hdr updated
> only mac80211_hwsim_monitor_tx() to fill in the new field.
> mac80211_hwsim_monitor_ack() did not set the rt_tsft field and as such,
> leaked eight bytes of kernel memory to user space. In addition, the
> resulting radiotap header is invalid since the field offsets do not
> match. Fix these issues by defining a separate radiotap header structure
> for the ACK frame case which does not use all the fields.
Applied, thanks.
johannes
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-11-04 9:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-02 13:57 [PATCH] mac80211_hwsim: Fix radiotap header for ACK frames Jouni Malinen
2013-11-04 8:25 ` Johannes Berg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).