From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Rajkumar Manoharan <rmanohar@qti.qualcomm.com>,
Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 4.9 15/60] mac80211: strictly check mesh address extension mode
Date: Mon, 19 Jun 2017 23:17:09 +0800 [thread overview]
Message-ID: <20170619151645.234121119@linuxfoundation.org> (raw)
In-Reply-To: <20170619151644.680979056@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
commit 5667c86acf021e6dcf02584408b4484a273ac68f upstream.
Mesh forwarding path checks for address extension mode to fetch
appropriate proxied address and MPP address. Existing condition
that looks for 6 address format is not strict enough so that
frames with improper values are processed and invalid entries
are added into MPP table. Fix that by adding a stricter check before
processing the packet.
Per IEEE Std 802.11s-2011 spec. Table 7-6g1 lists address extension
mode 0x3 as reserved one. And also Table Table 9-13 does not specify
0x3 as valid address field.
Fixes: 9b395bc3be1c ("mac80211: verify that skb data is present")
Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/rx.c | 3 ++-
net/wireless/util.c | 10 ++++++----
2 files changed, 8 insertions(+), 5 deletions(-)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2471,7 +2471,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
if (is_multicast_ether_addr(hdr->addr1)) {
mpp_addr = hdr->addr3;
proxied_addr = mesh_hdr->eaddr1;
- } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
+ } else if ((mesh_hdr->flags & MESH_FLAGS_AE) ==
+ MESH_FLAGS_AE_A5_A6) {
/* has_a4 already checked in ieee80211_rx_mesh_check */
mpp_addr = hdr->addr4;
proxied_addr = mesh_hdr->eaddr2;
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -454,6 +454,8 @@ int ieee80211_data_to_8023_exthdr(struct
if (iftype == NL80211_IFTYPE_MESH_POINT)
skb_copy_bits(skb, hdrlen, &mesh_flags, 1);
+ mesh_flags &= MESH_FLAGS_AE;
+
switch (hdr->frame_control &
cpu_to_le16(IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) {
case cpu_to_le16(IEEE80211_FCTL_TODS):
@@ -469,9 +471,9 @@ int ieee80211_data_to_8023_exthdr(struct
iftype != NL80211_IFTYPE_STATION))
return -1;
if (iftype == NL80211_IFTYPE_MESH_POINT) {
- if (mesh_flags & MESH_FLAGS_AE_A4)
+ if (mesh_flags == MESH_FLAGS_AE_A4)
return -1;
- if (mesh_flags & MESH_FLAGS_AE_A5_A6) {
+ if (mesh_flags == MESH_FLAGS_AE_A5_A6) {
skb_copy_bits(skb, hdrlen +
offsetof(struct ieee80211s_hdr, eaddr1),
tmp.h_dest, 2 * ETH_ALEN);
@@ -487,9 +489,9 @@ int ieee80211_data_to_8023_exthdr(struct
ether_addr_equal(tmp.h_source, addr)))
return -1;
if (iftype == NL80211_IFTYPE_MESH_POINT) {
- if (mesh_flags & MESH_FLAGS_AE_A5_A6)
+ if (mesh_flags == MESH_FLAGS_AE_A5_A6)
return -1;
- if (mesh_flags & MESH_FLAGS_AE_A4)
+ if (mesh_flags == MESH_FLAGS_AE_A4)
skb_copy_bits(skb, hdrlen +
offsetof(struct ieee80211s_hdr, eaddr1),
tmp.h_source, ETH_ALEN);
next prev parent reply other threads:[~2017-06-19 15:28 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 15:16 [PATCH 4.9 00/60] 4.9.34-stable review Greg Kroah-Hartman
2017-06-19 15:16 ` [PATCH 4.9 01/60] fs: pass on flags in compat_writev Greg Kroah-Hartman
2017-06-19 15:16 ` [PATCH 4.9 02/60] configfs: Fix race between create_link and configfs_rmdir Greg Kroah-Hartman
2017-06-19 15:16 ` [PATCH 4.9 03/60] can: gs_usb: fix memory leak in gs_cmd_reset() Greg Kroah-Hartman
2017-06-19 15:16 ` [PATCH 4.9 04/60] ila_xlat: add missing hash secret initialization Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 06/60] [media] vb2: Fix an off by one error in vb2_plane_vaddr Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 07/60] mac80211: dont look at the PM bit of BAR frames Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 08/60] mac80211/wpa: use constant time memory comparison for MACs Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 09/60] drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 10/60] drm/i915: Fix GVT-g PVINFO version compatibility check Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 11/60] usb: musb: dsps: keep VBUS on for host-only mode Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 13/60] mac80211: fix packet statistics for fast-RX Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 14/60] mac80211: fix IBSS presp allocation size Greg Kroah-Hartman
2017-06-19 15:17 ` Greg Kroah-Hartman [this message]
2017-06-19 15:17 ` [PATCH 4.9 16/60] mac80211: fix dropped counter in multiqueue RX Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 17/60] mac80211: dont send SMPS action frame in AP mode when not needed Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 18/60] drm/mediatek: fix mtk_hdmi_setup_vendor_specific_infoframe mistake Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 19/60] drm/vc4: Fix OOPSes from trying to cache a partially constructed BO Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 21/60] serial: sh-sci: Fix late enablement of AUTORTS Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 22/60] x86/mm/32: Set the __vmalloc_start_set flag in initmem_init() Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 23/60] mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 24/60] staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data() Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 25/60] staging: iio: tsl2x7x_core: Fix standard deviation calculation Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 26/60] iio: st_pressure: Fix data sign Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 27/60] iio: proximity: as3935: recalibrate RCO after resume Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 28/60] iio: adc: ti_am335x_adc: allocating too much in probe Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 29/60] IB/mlx5: Fix kernel to user leak prevention logic Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 30/60] usb: gadget: udc: renesas_usb3: fix pm_runtime functions calling Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 31/60] usb: gadget: udc: renesas_usb3: fix deadlock by spinlock Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 32/60] usb: gadget: udc: renesas_usb3: lock for PN_ registers access Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 33/60] USB: hub: fix SS max number of ports Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 34/60] usb: core: fix potential memory leak in error path during hcd creation Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 35/60] USB: usbip: fix nonconforming hub descriptor Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 36/60] [media] pvrusb2: reduce stack usage pvr2_eeprom_analyze() Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 37/60] USB: gadget: dummy_hcd: fix hub-descriptor removable fields Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 38/60] usb: r8a66597-hcd: select a different endpoint on timeout Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 39/60] usb: r8a66597-hcd: decrease timeout Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 40/60] ath10k: fix napi crash during rmmod when probe firmware fails Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 41/60] misc: mic: double free on ioctl error path Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 42/60] drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of IS_ERR() Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 43/60] usb: xhci: Fix USB 3.1 supported protocol parsing Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 44/60] usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 45/60] USB: gadget: fix GPF in gadgetfs Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 46/60] USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 47/60] mm/memory-failure.c: use compound_head() flags for huge pages Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 48/60] swap: cond_resched in swap_cgroup_prepare() Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 49/60] iio: imu: inv_mpu6050: add accel lpf setting for chip >= MPU6500 Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 50/60] sched/core: Idle_task_exit() shouldnt use switch_mm_irqs_off() Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 51/60] genirq: Release resources in __setup_irq() error path Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 52/60] alarmtimer: Prevent overflow of relative timers Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 53/60] usb: gadget: composite: Fix function used to free memory Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 54/60] usb: dwc3: exynos fix axius clock error path to do cleanup Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 55/60] MIPS: Fix bnezc/jialc return address calculation Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 56/60] MIPS: .its targets depend on vmlinux Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 57/60] vTPM: Fix missing NULL check Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 58/60] crypto: Work around deallocated stack frame reference gcc bug on sparc Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 59/60] alarmtimer: Rate limit periodic intervals Greg Kroah-Hartman
2017-06-19 15:17 ` [PATCH 4.9 60/60] mm: larger stack guard gap, between vmas Greg Kroah-Hartman
2017-06-20 0:10 ` [PATCH 4.9 00/60] 4.9.34-stable review Guenter Roeck
2017-06-20 10:57 ` Sumit Semwal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170619151645.234121119@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rmanohar@qti.qualcomm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).