Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3991931pxj; Mon, 21 Jun 2021 10:58:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy5i8cQNUnrj1y5EFm9Q/pDzZzLy0GTsFLj8GwsmNKeOfOfjBOpW68O5h7eHqx9OyLIA6yu X-Received: by 2002:a02:9a1a:: with SMTP id b26mr3772960jal.122.1624298310862; Mon, 21 Jun 2021 10:58:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624298310; cv=none; d=google.com; s=arc-20160816; b=zFU3ZsY4b8EtpPHWsdWg7gX9ObIxVrAdtRqxsa36W//hSvV3RcarENYtklU3fe9poy l83cHvQK/3c8z+ITcuxrynBaZW541SwMNeOv5d9FTcdw934QzCQT5y4tOeRBPKUjMr60 fxengcTwcdDyW8c39irP7V2WHmoBUafw5Oy9Rb1IrbWoGqsiApD4ET57/nPaeBmkKVoR Usseli8hp3kynQIkFmaXmoRp2e3IHWlgXEgujsjluEW37EGvbNcXqlcdPk/A9myFuDMN V/ai31CDQzGueZ67XVSOyH+qYZPgiASaeg+lrFs0W0mRu+Gw3sK17vw3JGSQutGsvb0Z h6sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=FwNnXR+FUeyKHwAmeVtUTUDs+/QPyUwT3ajQg0giqOI=; b=IoAHufxkw31r7Ss1NH4rIoTKmcPjpDFCsT/DC77vzgTXr/NOLO+8PeiRvap3xRwJ8E v4nF7Z/P2OrqHcGDM5qexIt5qyex3qeXepzibJfdrZ3MJeeAUdSc6eJLXmv1oSd8ChLn u2v2rp+28uw/uQvAzn3y06KTrZiQC1rG+G0SFpembnDKtaKKwqDQNO71A6x5DVDx/iet 4uluKf8bgE13Ha6GC4DbB9K7dnaCQ57ECeVZD+p/HwjHcsg3su8+5KbCZGoQRQ8Cy+KX NtpgzvDAkpWrmaqLhinTVQI0ZIjyCWV95iD74DxC0Ofub1aIS5EgdxGgBXrztWepiX6X THXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jxswKvmK; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l16si3858340ilo.155.2021.06.21.10.58.19; Mon, 21 Jun 2021 10:58:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jxswKvmK; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233639AbhFUSAV (ORCPT + 99 others); Mon, 21 Jun 2021 14:00:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:39060 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232776AbhFUR6G (ORCPT ); Mon, 21 Jun 2021 13:58:06 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id ED912613BD; Mon, 21 Jun 2021 17:53:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624298028; bh=R+P/fmAqPBWiOGyyElPymleMNovTkWNa6HaTdgpPwzw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jxswKvmKTHZ2S1Rya0Fsr5O3NUd+ngQXhQIEb+hikVbmP5VouNB/jbhfpxSuUK3GH psK7aFrfldxhAXh/yTMOqmJxfgtTu4W54XZgDNZEQlicXzK9og6z5P6RgSloMyQNcJ CIoPPdKYC0RQ1qxiEtUt9vIz7Xa5Rbupn4cAFmo5cU9QQdCp3E57XqrsiixIXQRKCt wGiyftfNupwq0WKQaE9z8CAV1V/AH8ZXZGae+yT4SF8XPtj0TgUqAUyxPkk8Pigv5W jz/BZLy7vDn3+ta2Fez/5Zw+yhwCkwkb3H2eB42B3EPqQG8gzkCkPC3A5G/mKuGmwm q/cVJqbZN5Q8w== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Johannes Berg , Luca Coelho , Sasha Levin , linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.10 31/35] mac80211: handle various extensible elements correctly Date: Mon, 21 Jun 2021 13:52:56 -0400 Message-Id: <20210621175300.735437-31-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210621175300.735437-1-sashal@kernel.org> References: <20210621175300.735437-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Johannes Berg [ Upstream commit 652e8363bbc7d149fa194a5cbf30b1001c0274b0 ] Various elements are parsed with a requirement to have an exact size, when really we should only check that they have the minimum size that we need. Check only that and therefore ignore any additional data that they might carry. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20210618133832.cd101f8040a4.Iadf0e9b37b100c6c6e79c7b298cc657c2be9151a@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/mac80211/util.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/net/mac80211/util.c b/net/mac80211/util.c index d8f9fb0646a4..fbf56a203c0e 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -954,7 +954,7 @@ static void ieee80211_parse_extension_element(u32 *crc, switch (elem->data[0]) { case WLAN_EID_EXT_HE_MU_EDCA: - if (len == sizeof(*elems->mu_edca_param_set)) { + if (len >= sizeof(*elems->mu_edca_param_set)) { elems->mu_edca_param_set = data; if (crc) *crc = crc32_be(*crc, (void *)elem, @@ -975,7 +975,7 @@ static void ieee80211_parse_extension_element(u32 *crc, } break; case WLAN_EID_EXT_UORA: - if (len == 1) + if (len >= 1) elems->uora_element = data; break; case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME: @@ -983,7 +983,7 @@ static void ieee80211_parse_extension_element(u32 *crc, elems->max_channel_switch_time = data; break; case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION: - if (len == sizeof(*elems->mbssid_config_ie)) + if (len >= sizeof(*elems->mbssid_config_ie)) elems->mbssid_config_ie = data; break; case WLAN_EID_EXT_HE_SPR: @@ -992,7 +992,7 @@ static void ieee80211_parse_extension_element(u32 *crc, elems->he_spr = data; break; case WLAN_EID_EXT_HE_6GHZ_CAPA: - if (len == sizeof(*elems->he_6ghz_capa)) + if (len >= sizeof(*elems->he_6ghz_capa)) elems->he_6ghz_capa = data; break; } @@ -1081,14 +1081,14 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, switch (id) { case WLAN_EID_LINK_ID: - if (elen + 2 != sizeof(struct ieee80211_tdls_lnkie)) { + if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) { elem_parse_failed = true; break; } elems->lnk_id = (void *)(pos - 2); break; case WLAN_EID_CHAN_SWITCH_TIMING: - if (elen != sizeof(struct ieee80211_ch_switch_timing)) { + if (elen < sizeof(struct ieee80211_ch_switch_timing)) { elem_parse_failed = true; break; } @@ -1251,7 +1251,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, elems->sec_chan_offs = (void *)pos; break; case WLAN_EID_CHAN_SWITCH_PARAM: - if (elen != + if (elen < sizeof(*elems->mesh_chansw_params_ie)) { elem_parse_failed = true; break; @@ -1260,7 +1260,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, break; case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: if (!action || - elen != sizeof(*elems->wide_bw_chansw_ie)) { + elen < sizeof(*elems->wide_bw_chansw_ie)) { elem_parse_failed = true; break; } @@ -1279,7 +1279,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, ie = cfg80211_find_ie(WLAN_EID_WIDE_BW_CHANNEL_SWITCH, pos, elen); if (ie) { - if (ie[1] == sizeof(*elems->wide_bw_chansw_ie)) + if (ie[1] >= sizeof(*elems->wide_bw_chansw_ie)) elems->wide_bw_chansw_ie = (void *)(ie + 2); else @@ -1323,7 +1323,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, elems->cisco_dtpc_elem = pos; break; case WLAN_EID_ADDBA_EXT: - if (elen != sizeof(struct ieee80211_addba_ext_ie)) { + if (elen < sizeof(struct ieee80211_addba_ext_ie)) { elem_parse_failed = true; break; } @@ -1349,7 +1349,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, elem, elems); break; case WLAN_EID_S1G_CAPABILITIES: - if (elen == sizeof(*elems->s1g_capab)) + if (elen >= sizeof(*elems->s1g_capab)) elems->s1g_capab = (void *)pos; else elem_parse_failed = true; -- 2.30.2