From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>
Subject: [ 06/25] mac80211: fix duplicate retransmission detection
Date: Thu, 8 Aug 2013 18:41:42 -0700 [thread overview]
Message-ID: <20130809013650.519500814@linuxfoundation.org> (raw)
In-Reply-To: <20130809013649.057678051@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 6b0f32745dcfba01d7be33acd1b40306c7a914c6 upstream.
The duplicate retransmission detection code in mac80211
erroneously attempts to do the check for every frame,
even frames that don't have a sequence control field or
that don't use it (QoS-Null frames.)
This is problematic because it causes the code to access
data beyond the end of the SKB and depending on the data
there will drop packets erroneously.
Correct the code to not do duplicate detection for such
frames.
I found this error while testing AP powersave, it lead
to retransmitted PS-Poll frames being dropped entirely
as the data beyond the end of the SKB was always zero.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/rx.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -831,8 +831,14 @@ ieee80211_rx_h_check(struct ieee80211_rx
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
- /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
- if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
+ /*
+ * Drop duplicate 802.11 retransmissions
+ * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
+ */
+ if (rx->skb->len >= 24 && rx->sta &&
+ !ieee80211_is_ctl(hdr->frame_control) &&
+ !ieee80211_is_qos_nullfunc(hdr->frame_control) &&
+ !is_multicast_ether_addr(hdr->addr1)) {
if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
rx->sta->last_seq_ctrl[rx->seqno_idx] ==
hdr->seq_ctrl)) {
next prev parent reply other threads:[~2013-08-09 1:41 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-09 1:41 [ 00/25] 3.4.57-stable review Greg Kroah-Hartman
2013-08-09 1:41 ` [ 01/25] ALSA: compress: fix the return value for SNDRV_COMPRESS_VERSION Greg Kroah-Hartman
2013-08-09 1:41 ` [ 02/25] serial/mxs-auart: fix race condition in interrupt handler Greg Kroah-Hartman
2013-08-09 1:41 ` [ 03/25] serial/mxs-auart: increase time to wait for transmitter to become idle Greg Kroah-Hartman
2013-08-09 1:41 ` [ 04/25] ath9k_htc: do some initial hardware configuration Greg Kroah-Hartman
2013-08-09 1:41 ` [ 05/25] nl80211: fix mgmt tx status and testmode reporting for netns Greg Kroah-Hartman
2013-08-09 1:41 ` Greg Kroah-Hartman [this message]
2013-08-09 1:41 ` [ 07/25] ixgbe: Fix Tx Hang issue with lldpad on 82598EB Greg Kroah-Hartman
2013-08-09 1:41 ` [ 08/25] rt2x00: fix stop queue Greg Kroah-Hartman
2013-08-09 1:41 ` [ 09/25] mwifiex: Add missing endian conversion Greg Kroah-Hartman
2013-08-09 1:41 ` [ 10/25] ACPI / battery: Fix parsing _BIX return value Greg Kroah-Hartman
2013-08-09 1:41 ` [ 11/25] sched: Fix the broken sched_rr_get_interval() Greg Kroah-Hartman
2013-08-09 1:41 ` [ 12/25] fanotify: info leak in copy_event_to_user() Greg Kroah-Hartman
2013-08-09 1:41 ` [ 13/25] perf: Fix event group context move Greg Kroah-Hartman
2013-08-09 1:41 ` [ 14/25] x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz Greg Kroah-Hartman
2013-08-09 1:41 ` [ 15/25] drm/i915: quirk no PCH_PWM_ENABLE for Dell XPS13 backlight Greg Kroah-Hartman
2013-08-09 1:41 ` [ 16/25] perf: Use css_tryget() to avoid propping up css refcount Greg Kroah-Hartman
2013-08-09 1:41 ` [ 17/25] arcnet: cleanup sizeof parameter Greg Kroah-Hartman
2013-08-09 1:41 ` [ 18/25] sysctl net: Keep tcp_syn_retries inside the boundary Greg Kroah-Hartman
2013-08-09 1:41 ` [ 19/25] sctp: fully initialize sctp_outq in sctp_outq_init Greg Kroah-Hartman
2013-08-09 1:41 ` [ 20/25] ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup Greg Kroah-Hartman
2013-08-09 1:41 ` [ 21/25] usbnet: do not pretend to support SG/TSO Greg Kroah-Hartman
2013-08-09 1:41 ` [ 22/25] net_sched: Fix stack info leak in cbq_dump_wrr() Greg Kroah-Hartman
2013-08-09 1:41 ` [ 23/25] af_key: more info leaks in pfkey messages Greg Kroah-Hartman
2013-08-09 1:42 ` [ 24/25] net_sched: info leak in atm_tc_dump_class() Greg Kroah-Hartman
2013-08-09 1:42 ` [ 25/25] 8139cp: Add dma_mapping_error checking Greg Kroah-Hartman
2013-08-09 4:34 ` [ 00/25] 3.4.57-stable review Guenter Roeck
2013-08-10 22:08 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130809013650.519500814@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).