Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp650995rwb; Fri, 7 Oct 2022 02:12:55 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6Ud+JX5vaIlrdwpokwZkzKN+MT97q10dtaGZUYQcl8/xDIZsRjg03wi+etUaY6VqeapN/O X-Received: by 2002:a17:903:1d0:b0:178:1d5b:faf8 with SMTP id e16-20020a17090301d000b001781d5bfaf8mr4087932plh.9.1665133975467; Fri, 07 Oct 2022 02:12:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665133975; cv=none; d=google.com; s=arc-20160816; b=bOxpxnrQjKxIwRwE4VfSjYDg/UhNsl+ew4N6tul1wHCqg+LTvcuJpLz4t80lU+o6jV QYM3/8iREE73wQFZyNEqz+6ItJCAMGC9pVis6Iw/61I9mnWztvexdx10LFgVfQzWNb4e Z23h9amroeYwzrRjRRGB5KEYKWOhoIiaOv/krGnV0xWvc0kCrX3TzF9qXp5r32c5ZZhk UkvLEHqtRmuf6xfZwRWYqaBYtPMQwqQl4mkkhJgd01DB54fVBfs3mNJUtnb3/FupsRou 7jjG/sPXcMACozmHeZVxjDczsoFMlPvCaPCaSyb42Ut7qto/e8A1/oprJRS2I3FzoMNd o+RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=J/TOrl0da72N0+q+3hCZlVhHAdWWC6ywpjlhCO5m1bU=; b=kBWU1/uXFZXA8uFlPEc+47Ve7bvd+tn+pjGuDv26fT0zdXVB19DtCw8Fd0VLfXiY5H PV4LqxehauyDl0DUwqyUmpsEqRrcwuAeN3kbJ7hkf7i6GrLqMU+zo1wBDJyqJJZLPND3 kUBmJB8h8IkMle3iKAznjMh9AdJxxxlvMCaOZnH35x8D80LKewEjOaVMSr7JwbrifEgm 0AxCDQKAD5PmQKZZhh/aJMbx6Yhx/QJ4o4p6OhrgG2yeYZVggzCQhekyj5l2Kd5rCjKr atT+Kai/s/IZ85U1B6rr8mXwPn3cJrbUps1kT+T5sD7sej8EHG/0gjPlnZvsU9x7UdA6 JH0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@nbd.name header.s=20160729 header.b=OJi5tBtY; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nbd.name Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f18-20020a056a001ad200b0053e5ac66c3csi1847484pfv.38.2022.10.07.02.12.41; Fri, 07 Oct 2022 02:12:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@nbd.name header.s=20160729 header.b=OJi5tBtY; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nbd.name Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229656AbiJGJFS (ORCPT + 61 others); Fri, 7 Oct 2022 05:05:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229581AbiJGJFR (ORCPT ); Fri, 7 Oct 2022 05:05:17 -0400 Received: from nbd.name (nbd.name [46.4.11.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 945327FE79 for ; Fri, 7 Oct 2022 02:05:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject: Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=J/TOrl0da72N0+q+3hCZlVhHAdWWC6ywpjlhCO5m1bU=; b=OJi5tBtYzGLbv/8kjBsvWfbVg2 NhmzduJG21LEqxeBiRej2Hlyo0xBTs2bEvR3h3mj6i6II5eUal+qafXIIkTi+NRxPDIAxs5vTRumQ 5dnVmlQN/mN4YWQOJIG9nMSv5LvhZsa1j1hXDAqWl0Aemsr2O9AQYjjMJSKe5WcSMBVk=; Received: from p200300daa7301d00c861250ac39289eb.dip0.t-ipconnect.de ([2003:da:a730:1d00:c861:250a:c392:89eb] helo=localhost.localdomain) by ds12 with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (Exim 4.94.2) (envelope-from ) id 1ogjI7-00Ayi8-Pq; Fri, 07 Oct 2022 11:05:11 +0200 From: Felix Fietkau To: linux-wireless@vger.kernel.org Cc: johannes@sipsolutions.net, Chad Monroe Subject: [PATCH 6.1 1/2] wifi: cfg80211: fix ieee80211_data_to_8023_exthdr handling of small packets Date: Fri, 7 Oct 2022 11:05:08 +0200 Message-Id: <20221007090509.18503-1-nbd@nbd.name> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org STP topology change notification packets only have a payload of 7 bytes, so they get dropped due to the skb->len < hdrlen + 8 check. Fix this by removing skb->len based checks and instead check the return code on the skb_copy_bits calls. Fixes: 2d1c304cb2d5 ("cfg80211: add function for 802.3 conversion with separate output buffer") Reported-by: Chad Monroe Signed-off-by: Felix Fietkau --- net/wireless/util.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/net/wireless/util.c b/net/wireless/util.c index 01493568a21d..35f630c6de11 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -559,8 +559,6 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, return -1; hdrlen = ieee80211_hdrlen(hdr->frame_control) + data_offset; - if (skb->len < hdrlen + 8) - return -1; /* convert IEEE 802.11 header + possible LLC headers into Ethernet * header @@ -574,8 +572,9 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, memcpy(tmp.h_dest, ieee80211_get_DA(hdr), ETH_ALEN); memcpy(tmp.h_source, ieee80211_get_SA(hdr), ETH_ALEN); - if (iftype == NL80211_IFTYPE_MESH_POINT) - skb_copy_bits(skb, hdrlen, &mesh_flags, 1); + if (iftype == NL80211_IFTYPE_MESH_POINT && + skb_copy_bits(skb, hdrlen, &mesh_flags, 1) < 0) + return -1; mesh_flags &= MESH_FLAGS_AE; @@ -595,11 +594,12 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, if (iftype == NL80211_IFTYPE_MESH_POINT) { if (mesh_flags == MESH_FLAGS_AE_A4) return -1; - if (mesh_flags == MESH_FLAGS_AE_A5_A6) { - skb_copy_bits(skb, hdrlen + - offsetof(struct ieee80211s_hdr, eaddr1), - tmp.h_dest, 2 * ETH_ALEN); - } + if (mesh_flags == MESH_FLAGS_AE_A5_A6 && + skb_copy_bits(skb, hdrlen + + offsetof(struct ieee80211s_hdr, eaddr1), + tmp.h_dest, 2 * ETH_ALEN) < 0) + return -1; + hdrlen += __ieee80211_get_mesh_hdrlen(mesh_flags); } break; @@ -613,10 +613,11 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, if (iftype == NL80211_IFTYPE_MESH_POINT) { if (mesh_flags == MESH_FLAGS_AE_A5_A6) return -1; - if (mesh_flags == MESH_FLAGS_AE_A4) - skb_copy_bits(skb, hdrlen + - offsetof(struct ieee80211s_hdr, eaddr1), - tmp.h_source, ETH_ALEN); + if (mesh_flags == MESH_FLAGS_AE_A4 && + skb_copy_bits(skb, hdrlen + + offsetof(struct ieee80211s_hdr, eaddr1), + tmp.h_source, ETH_ALEN) < 0) + return -1; hdrlen += __ieee80211_get_mesh_hdrlen(mesh_flags); } break; @@ -628,16 +629,15 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, break; } - skb_copy_bits(skb, hdrlen, &payload, sizeof(payload)); - tmp.h_proto = payload.proto; - - if (likely((!is_amsdu && ether_addr_equal(payload.hdr, rfc1042_header) && + if (likely(skb_copy_bits(skb, hdrlen, &payload, sizeof(payload)) == 0) && + likely((!is_amsdu && ether_addr_equal(payload.hdr, rfc1042_header) && tmp.h_proto != htons(ETH_P_AARP) && tmp.h_proto != htons(ETH_P_IPX)) || ether_addr_equal(payload.hdr, bridge_tunnel_header))) { /* remove RFC1042 or Bridge-Tunnel encapsulation and * replace EtherType */ hdrlen += ETH_ALEN + 2; + tmp.h_proto = payload.proto; skb_postpull_rcsum(skb, &payload, ETH_ALEN + 2); } else { tmp.h_proto = htons(skb->len - hdrlen); -- 2.36.1