Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp4155280pxk; Tue, 8 Sep 2020 12:05:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyLR/PUZtk/BuBtiIlbDJVSxyO6tO5dyO2YequbRFcxVzssWjALMCVBm1U6MIXXW3NtiFrN X-Received: by 2002:a50:ab13:: with SMTP id s19mr406520edc.357.1599591935390; Tue, 08 Sep 2020 12:05:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599591935; cv=none; d=google.com; s=arc-20160816; b=aTRA9GAxSc0BaxKfrNs5kzHc3REoLPzr6FsFDTRmdkWu7yoOxCzj4d3V7RtHsEfeIx uusz42uHFBTHb8nlfXO6Uh1gRm6Vk4IGqD2xp+LFNobhqcUBIMwpv7wiWVQGk6YyoJWl ajStvu8dpFsbRZxCYPpXVn3e9hSN2NbZsOTqSD4IuTJuYpOoC2wB+fCdKVBUXTwT1D3F mtZS2dzcBjTt+A7rtAel6Y7Gdj4b7ow0lyoJ8XPeueEZVxSqJ9NBYKZjizlFlegjmv2S n0CHKQEa4B5gk/WhRBarcB/ZgqEAlnbEUbyyNmu5jtGgyQ2vyGYTldC9YLMzKXjOJxAT mT1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=8DSH1JrI5Dzn7APd/sDl+fYvMNWIT/r/SRSG7fzwXgQ=; b=B1HDqfGuqoj/1YvoudU6Dk/kZcZ2gEou0VuzVDH0+XIWH1TXTEyERL+Rpe1V6LBn/a P15fZkazwrvsFijVD0Yc8CibFvOf5V1C5eDmjf5QQxlfPQEFCj/WTbajuXPsaQqnVm2z c6Do89f77cDuOCAQJCXoMn9N8QDeFQk2NTpmckcFEiZq8NlFXF9sDx2OggUH+ABQrMGO nA24nFAEf3vyw4DN8GVJQu1bmGoVNI4orAhTxSvdTpa9+FKllUCZ6EX5b2UBfnbG4CJK vnYoVvH7pLlOUQbtqUNEYKlUgEhsbQLJVOSkU6coP5kErKrDs+rTJOqBMn/YkVJsI0ia P06A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c1si12415404eds.366.2020.09.08.12.05.10; Tue, 08 Sep 2020 12:05:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731716AbgIHTDo (ORCPT + 99 others); Tue, 8 Sep 2020 15:03:44 -0400 Received: from mail.adapt-ip.com ([173.164.178.19]:52694 "EHLO web.adapt-ip.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731487AbgIHTDc (ORCPT ); Tue, 8 Sep 2020 15:03:32 -0400 Received: from localhost (localhost [127.0.0.1]) by web.adapt-ip.com (Postfix) with ESMTP id BF8BE4F9AE0; Tue, 8 Sep 2020 19:03:29 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at web.adapt-ip.com Received: from web.adapt-ip.com ([127.0.0.1]) by localhost (web.adapt-ip.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JEWFtVzBccie; Tue, 8 Sep 2020 19:03:27 +0000 (UTC) Received: from atlas.ibsgaard.io (c-73-223-60-234.hsd1.ca.comcast.net [73.223.60.234]) (Authenticated sender: thomas@adapt-ip.com) by web.adapt-ip.com (Postfix) with ESMTPSA id 4C7A24F9AF5; Tue, 8 Sep 2020 19:03:21 +0000 (UTC) From: Thomas Pedersen To: Johannes Berg Cc: linux-wireless , Thomas Pedersen Subject: [PATCH v3 04/22] nl80211: correctly validate S1G beacon head Date: Tue, 8 Sep 2020 12:03:05 -0700 Message-Id: <20200908190323.15814-5-thomas@adapt-ip.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200908190323.15814-1-thomas@adapt-ip.com> References: <20200908190323.15814-1-thomas@adapt-ip.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The S1G beacon has a different header size than regular beacons, so adjust the beacon head validator. Signed-off-by: Thomas Pedersen --- net/wireless/nl80211.c | 16 +++++++++++++--- net/wireless/util.c | 5 +++++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index e408624018d5..8cf50bfedb01 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -209,14 +209,24 @@ static int validate_beacon_head(const struct nlattr *attr, unsigned int len = nla_len(attr); const struct element *elem; const struct ieee80211_mgmt *mgmt = (void *)data; - unsigned int fixedlen = offsetof(struct ieee80211_mgmt, - u.beacon.variable); + bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control); + unsigned int fixedlen, hdrlen; + + if (s1g_bcn) { + fixedlen = offsetof(struct ieee80211_ext, + u.s1g_beacon.variable); + hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon); + } else { + fixedlen = offsetof(struct ieee80211_mgmt, + u.beacon.variable); + hdrlen = offsetof(struct ieee80211_mgmt, u.beacon); + } if (len < fixedlen) goto err; if (ieee80211_hdrlen(mgmt->frame_control) != - offsetof(struct ieee80211_mgmt, u.beacon)) + hdrlen) goto err; data += fixedlen; diff --git a/net/wireless/util.c b/net/wireless/util.c index 7c5d5365a5eb..11822cd05a9f 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -397,6 +397,11 @@ unsigned int __attribute_const__ ieee80211_hdrlen(__le16 fc) { unsigned int hdrlen = 24; + if (ieee80211_is_ext(fc)) { + hdrlen = 4; + goto out; + } + if (ieee80211_is_data(fc)) { if (ieee80211_has_a4(fc)) hdrlen = 30; -- 2.20.1