From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk, Javier Cardona <javier@cozybit.com>,
Johannes Berg <johannes.berg@intel.com>
Subject: [ 12/57] wireless: drop invalid mesh address extension frames
Date: Wed, 14 Nov 2012 20:11:20 -0800 [thread overview]
Message-ID: <20121115040933.965891870@linuxfoundation.org> (raw)
In-Reply-To: <20121115040933.223998671@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 7dd111e8ee10cc6816669eabcad3334447673236 upstream.
The mesh header can have address extension by a 4th
or a 5th and 6th address, but never both. Drop such
frames in 802.11 -> 802.3 conversion along with any
frames that have the wrong extension.
Reviewed-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/util.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -293,18 +293,15 @@ EXPORT_SYMBOL(ieee80211_get_hdrlen_from_
static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
{
int ae = meshhdr->flags & MESH_FLAGS_AE;
- /* 7.1.3.5a.2 */
+ /* 802.11-2012, 8.2.4.7.3 */
switch (ae) {
+ default:
case 0:
return 6;
case MESH_FLAGS_AE_A4:
return 12;
case MESH_FLAGS_AE_A5_A6:
return 18;
- case (MESH_FLAGS_AE_A4 | MESH_FLAGS_AE_A5_A6):
- return 24;
- default:
- return 6;
}
}
@@ -354,6 +351,8 @@ int ieee80211_data_to_8023(struct sk_buf
/* make sure meshdr->flags is on the linear part */
if (!pskb_may_pull(skb, hdrlen + 1))
return -1;
+ if (meshdr->flags & MESH_FLAGS_AE_A4)
+ return -1;
if (meshdr->flags & MESH_FLAGS_AE_A5_A6) {
skb_copy_bits(skb, hdrlen +
offsetof(struct ieee80211s_hdr, eaddr1),
@@ -378,6 +377,8 @@ int ieee80211_data_to_8023(struct sk_buf
/* make sure meshdr->flags is on the linear part */
if (!pskb_may_pull(skb, hdrlen + 1))
return -1;
+ if (meshdr->flags & MESH_FLAGS_AE_A5_A6)
+ return -1;
if (meshdr->flags & MESH_FLAGS_AE_A4)
skb_copy_bits(skb, hdrlen +
offsetof(struct ieee80211s_hdr, eaddr1),
next prev parent reply other threads:[~2012-11-15 4:24 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-15 4:11 [ 00/57] 3.4.19-stable review Greg Kroah-Hartman
2012-11-15 4:11 ` [ 01/57] xen/gntdev: dont leak memory from IOCTL_GNTDEV_MAP_GRANT_REF Greg Kroah-Hartman
2012-11-15 4:11 ` [ 02/57] xen/mmu: Use Xen specific TLB flush instead of the generic one Greg Kroah-Hartman
2012-11-15 4:11 ` [ 03/57] Input: tsc40 - remove wrong announcement of pressure support Greg Kroah-Hartman
2012-11-15 4:11 ` [ 04/57] ath9k: fix stale pointers potentially causing access to freed skbs Greg Kroah-Hartman
2012-11-15 4:11 ` [ 05/57] ath9k: Test for TID only in BlockAcks while checking tx status Greg Kroah-Hartman
2012-11-15 4:11 ` [ 06/57] rt2800: validate step value for temperature compensation Greg Kroah-Hartman
2012-11-15 4:11 ` [ 07/57] target: Dont return success from module_init() if setup fails Greg Kroah-Hartman
2012-11-15 4:11 ` [ 08/57] target: Avoid integer overflow in se_dev_align_max_sectors() Greg Kroah-Hartman
2012-11-15 4:11 ` [ 09/57] iscsi-target: Fix missed wakeup race in TX thread Greg Kroah-Hartman
2012-11-15 4:11 ` [ 10/57] target: Fix incorrect usage of nested IRQ spinlocks in ABORT_TASK path Greg Kroah-Hartman
2012-11-15 4:11 ` [ 11/57] cfg80211: fix antenna gain handling Greg Kroah-Hartman
2012-11-15 4:11 ` Greg Kroah-Hartman [this message]
2012-11-15 4:11 ` [ 13/57] mac80211: use blacklist for duplicate IE check Greg Kroah-Hartman
2012-11-15 4:11 ` [ 14/57] mac80211: Only process mesh config header on frames that RA_MATCH Greg Kroah-Hartman
2012-11-15 4:11 ` [ 15/57] mac80211: dont inspect Sequence Control field on control frames Greg Kroah-Hartman
2012-11-15 4:11 ` [ 16/57] DRM/Radeon: Fix Load Detection on legacy primary DAC Greg Kroah-Hartman
2012-11-15 4:11 ` [ 17/57] drm/udl: fix stride issues scanning out stride != width*bpp Greg Kroah-Hartman
2012-11-15 4:11 ` [ 18/57] mac80211: check management frame header length Greg Kroah-Hartman
2012-11-15 4:11 ` [ 19/57] mac80211: verify that skb data is present Greg Kroah-Hartman
2012-11-15 4:11 ` [ 20/57] mac80211: make sure data is accessible in EAPOL check Greg Kroah-Hartman
2012-11-15 4:11 ` [ 21/57] mac80211: fix SSID copy on IBSS JOIN Greg Kroah-Hartman
2012-11-15 4:11 ` [ 22/57] nfsv3: Make v3 mounts fail with ETIMEDOUTs instead EIO on mountd timeouts Greg Kroah-Hartman
2012-11-15 4:11 ` [ 23/57] nfs: Show original device name verbatim in /proc/*/mount{s,info} Greg Kroah-Hartman
2012-11-15 4:11 ` [ 24/57] NFSv4: nfs4_locku_done must release the sequence id Greg Kroah-Hartman
2012-11-15 4:11 ` [ 25/57] NFSv4.1: We must release the sequence id when we fail to get a session slot Greg Kroah-Hartman
2012-11-15 4:11 ` [ 26/57] nfsd: add get_uint for u32s Greg Kroah-Hartman
2012-11-15 4:11 ` [ 27/57] NFS: fix bug in legacy DNS resolver Greg Kroah-Hartman
2012-11-15 4:11 ` [ 28/57] NFS: Fix Oopses in nfs_lookup_revalidate and nfs4_lookup_revalidate Greg Kroah-Hartman
2012-11-15 4:11 ` [ 29/57] drm: restore open_count if drm_setup fails Greg Kroah-Hartman
2012-11-15 4:11 ` [ 30/57] hwmon: (w83627ehf) Force initial bank selection Greg Kroah-Hartman
2012-11-15 4:11 ` [ 31/57] ALSA: PCM: Fix some races at disconnection Greg Kroah-Hartman
2012-11-15 4:11 ` [ 32/57] ALSA: usb-audio: Fix " Greg Kroah-Hartman
2012-11-15 4:11 ` [ 33/57] ALSA: usb-audio: Use rwsem for disconnect protection Greg Kroah-Hartman
2012-11-15 4:11 ` [ 34/57] ALSA: usb-audio: Fix races at disconnection in mixer_quirks.c Greg Kroah-Hartman
2012-11-15 4:11 ` [ 35/57] ALSA: Add a reference counter to card instance Greg Kroah-Hartman
2012-11-15 4:11 ` [ 36/57] ALSA: Avoid endless sleep after disconnect Greg Kroah-Hartman
2012-11-15 4:11 ` [ 37/57] sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter() Greg Kroah-Hartman
2012-11-15 4:11 ` [ 38/57] netlink: use kfree_rcu() in netlink_release() Greg Kroah-Hartman
2012-11-15 4:11 ` [ 39/57] tcp: fix FIONREAD/SIOCINQ Greg Kroah-Hartman
2012-11-15 4:11 ` [ 40/57] ipv6: Set default hoplimit as zero Greg Kroah-Hartman
2012-11-15 4:11 ` [ 41/57] net: usb: Fix memory leak on Tx data path Greg Kroah-Hartman
2012-11-15 4:11 ` [ 42/57] net: fix divide by zero in tcp algorithm illinois Greg Kroah-Hartman
2012-11-15 4:11 ` [ 43/57] drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free Greg Kroah-Hartman
2012-11-15 4:11 ` [ 44/57] l2tp: fix oops in l2tp_eth_create() error path Greg Kroah-Hartman
2012-11-15 4:11 ` [ 45/57] net: inet_diag -- Return error code if protocol handler is missed Greg Kroah-Hartman
2012-11-15 4:11 ` [ 46/57] af-packet: fix oops when socket is not present Greg Kroah-Hartman
2012-11-15 4:11 ` [ 47/57] ipv6: send unsolicited neighbour advertisements to all-nodes Greg Kroah-Hartman
2012-11-15 4:11 ` [ 48/57] futex: Handle futex_pi OWNER_DIED take over correctly Greg Kroah-Hartman
2012-11-15 4:11 ` [ 49/57] mmc: sdhci: fix NULL dereference in sdhci_request() tuning Greg Kroah-Hartman
2012-11-15 4:11 ` [ 50/57] drm/vmwgfx: Fix hibernation device reset Greg Kroah-Hartman
2012-11-15 4:11 ` [ 51/57] drm/vmwgfx: Fix a case where the code would BUG when trying to pin GMR memory Greg Kroah-Hartman
2012-11-15 4:12 ` [ 52/57] drm/radeon/cayman: add some missing regs to the VM reg checker Greg Kroah-Hartman
2012-11-15 4:12 ` [ 53/57] drm/radeon/si: " Greg Kroah-Hartman
2012-11-15 4:12 ` [ 54/57] drm/i915: fixup infoframe support for sdvo Greg Kroah-Hartman
2012-11-15 4:12 ` [ 55/57] drm/i915: clear the entire sdvo infoframe buffer Greg Kroah-Hartman
2012-11-15 4:12 ` [ 56/57] USB: mos7840: remove unused variable Greg Kroah-Hartman
2012-11-15 4:12 ` [ 57/57] xfs: fix reading of wrapped log data Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121115040933.965891870@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=javier@cozybit.com \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).