Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp1520444rbb;
        Mon, 26 Feb 2024 11:56:16 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCXI2X9SC4xzHTUT/2PZh2N2uTY1csQxhMiugsTMBxsiy+z7DQLqVirKyWgWUH0WYpdVcaX+vz8YEYEfoB4L4SffOuhlEzvlZpHGa1/G0Q==
X-Google-Smtp-Source: AGHT+IETPIP1qpnww0dZtsmpuHW5VY8eZWFhGPthJ7cziRqHme7N26EcuIdRXUG+qm5KfzIyqRVK
X-Received: by 2002:a17:902:e5c6:b0:1d9:14fb:d142 with SMTP id u6-20020a170902e5c600b001d914fbd142mr11766924plf.32.1708977375840;
        Mon, 26 Feb 2024 11:56:15 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708977375; cv=pass;
        d=google.com; s=arc-20160816;
        b=PGOOtYi9CR43SbtFuMsxTMaYL+nByivPZOXdoWVoWvS3QePBatIMBGjcsPgEVU5xiW
         y2JpuNcXx/Xx16Ah6XG0ssBgNRHRxqowtAw1ZtaY69CEf3qbpf9CIXr8aD9SGxqBkRQs
         q5RgmKc71TgPNcjH54yVLgaSH39MDMncFoLC7LM71keOCFWo6bakjVLwt+oV0RPJcrCs
         XmXeJxr0Xel1XwzGBF5atB/zERXexHbgXiW7zBHxnAJ/NTI8AjeTXHKBoZ7uFtF6bwcS
         RjEtNWaBaWvAw1ww/n4i+AqgdHcCLj/Hlf7zvEuazXxZlKhZGWVgJq9mieU0wIEB9nki
         AU1w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=D9ZjFtrFebA/Uo9j4/dU6PS3lP2XNqrVwAv3h0zfkLw=;
        fh=ndwtPmZXctFJicEcsrjmVdAbP2V1w4LIBfCkpQBOf4I=;
        b=zRSmLOB+b3Ko4kfl/G89kil+XfD6c9CtF0oZ2Y74yYBCwdgGrpOcI76H6cCNxqHRM4
         aCCwz5cfMqx+DPmZ1EodDLmNMqqBxQoySSJ/2SCFIZS9rzpkAWpHj/3RkZniCCNeNdP9
         TI6LQ0svC1AcYZaQoO3LyxVRbvGmxKN3HBi0Wsa+WHTIfQTo94kF+YAUq0dlCdIOep0z
         3eM6InG0cR4dfu/4YahOoYH9IrJdNDR6t14/Xl9Sq4pp5/5NG2qKbs8Wjj/Kccvv3lca
         G7zQRxHJXaLVBv+PelNsDzGaLBJRggIx9gkn3Y6uR4E/gq6bv3QEvnRUQU7D6M3L41gb
         Pg/w==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@sipsolutions.net header.s=mail header.b=FdTmKm96;
       arc=pass (i=1 spf=pass spfdomain=sipsolutions.net dkim=pass dkdomain=sipsolutions.net dmarc=pass fromdomain=sipsolutions.net);
       spf=pass (google.com: domain of linux-wireless+bounces-4026-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-4026-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net
Return-Path: <linux-wireless+bounces-4026-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id t1-20020a170902e84100b001d95f009fd0si101571plg.367.2024.02.26.11.56.15
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 26 Feb 2024 11:56:15 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless+bounces-4026-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sipsolutions.net header.s=mail header.b=FdTmKm96;
       arc=pass (i=1 spf=pass spfdomain=sipsolutions.net dkim=pass dkdomain=sipsolutions.net dmarc=pass fromdomain=sipsolutions.net);
       spf=pass (google.com: domain of linux-wireless+bounces-4026-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-4026-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id C738CB21B19
	for <linux.lists.archive@gmail.com>; Mon, 26 Feb 2024 19:34:18 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id C544112B165;
	Mon, 26 Feb 2024 19:34:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b="FdTmKm96"
X-Original-To: linux-wireless@vger.kernel.org
Received: from sipsolutions.net (s3.sipsolutions.net [168.119.38.16])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7D39822069
	for <linux-wireless@vger.kernel.org>; Mon, 26 Feb 2024 19:34:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.38.16
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1708976054; cv=none; b=hTi8omqdE7e7e+jxySaxFllFrgVCp/V3CtsgBKyHGjzp48WU/uyye1WlqZzs0BCwSpBzHIpuN2vQULBZBhvODq7Oeue3HYF6jYQFILAI5b8Wd0mm/hd5Vi6FFmO8nHPxOM1oMu8K1z7vb9kQ5XcJZHk0NzHhaBhfqu7XeLgxqCE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1708976054; c=relaxed/simple;
	bh=bmUGEKUN8DR1U2wai5W4xHW+eqEMOg/QS9DO0hAxi3s=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=DyqwXXfusXw8wuF3HJpdBiupcD2h0sVgqReuRLJ2Lu2BD0cGkm0mdjSImlDkzJOxmRJMFO7Uo+togjSiw/+3brFwanPmt1GVD0Ph2wbtYHzQz39Hk0W9IqlANcQHA1clxQ7VBFnAKtKgXp/Sxa/ys0//VHaTmpU+Jm8d43GiHP0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sipsolutions.net; spf=pass smtp.mailfrom=sipsolutions.net; dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b=FdTmKm96; arc=none smtp.client-ip=168.119.38.16
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sipsolutions.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sipsolutions.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=sipsolutions.net; s=mail; h=Content-Transfer-Encoding:MIME-Version:
	Message-ID:Date:Subject:Cc:To:From:Content-Type:Sender:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-To:Resent-Cc:
	Resent-Message-ID:In-Reply-To:References;
	bh=D9ZjFtrFebA/Uo9j4/dU6PS3lP2XNqrVwAv3h0zfkLw=; t=1708976051; x=1710185651; 
	b=FdTmKm96uULx9NA6gcmP863zFCztxCURlX9F4fBhTWACHuNGL1A/B5FPCk4QCSBnFqTANaoIK+O
	7Z4DB9IjFcPrp46n8Aepyo7S0rYelKG+fDthGdo9h/zXQPV41Oq0UqGFpLG2eEd4kNGE1Yt0xyuBi
	EHSo64cSFcjE6IRTiWI19YsnJG8ITQR8YHZgBRSOkh1cOfJwV6h01Qzo6aAv5YcGwdqoH2rgq8bxm
	uWczro7U0JEKPVc7e8Az+br0zJOXR3MaZS4gry5A8S8Uin0OM0hGVK9ggk41aKuarRwou6n49T5Wj
	ncVAUm0CYGhu8Alk3be4ih1sodA54OCVbrIw==;
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.97)
	(envelope-from <johannes@sipsolutions.net>)
	id 1regjn-00000009T9l-3cun;
	Mon, 26 Feb 2024 20:34:08 +0100
From: Johannes Berg <johannes@sipsolutions.net>
To: linux-wireless@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>,
	syzbot+d050d437fe47d479d210@syzkaller.appspotmail.com
Subject: [PATCH] wifi: cfg80211: check A-MSDU format more carefully
Date: Mon, 26 Feb 2024 20:34:06 +0100
Message-ID: <20240226203405.a731e2c95e38.I82ce7d8c0cc8970ce29d0a39fdc07f1ffc425be4@changeid>
X-Mailer: git-send-email 2.43.2
Precedence: bulk
X-Mailing-List: linux-wireless@vger.kernel.org
List-Id: <linux-wireless.vger.kernel.org>
List-Subscribe: <mailto:linux-wireless+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-wireless+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Johannes Berg <johannes.berg@intel.com>

If it looks like there's another subframe in the A-MSDU
but the header isn't fully there, we can end up reading
data out of bounds, only to discard later. Make this a
bit more careful and check if the subframe header can
even be present.

Reported-by: syzbot+d050d437fe47d479d210@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/wireless/util.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index d1ce3bee2797..b9d15f369378 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -791,15 +791,19 @@ ieee80211_amsdu_subframe_length(void *field, u8 mesh_flags, u8 hdr_type)
 
 bool ieee80211_is_valid_amsdu(struct sk_buff *skb, u8 mesh_hdr)
 {
-	int offset = 0, remaining, subframe_len, padding;
+	int offset = 0, subframe_len, padding;
 
 	for (offset = 0; offset < skb->len; offset += subframe_len + padding) {
+		int remaining = skb->len - offset;
 		struct {
 		    __be16 len;
 		    u8 mesh_flags;
 		} hdr;
 		u16 len;
 
+		if (sizeof(hdr) > remaining)
+			return false;
+
 		if (skb_copy_bits(skb, offset + 2 * ETH_ALEN, &hdr, sizeof(hdr)) < 0)
 			return false;
 
@@ -807,7 +811,6 @@ bool ieee80211_is_valid_amsdu(struct sk_buff *skb, u8 mesh_hdr)
 						      mesh_hdr);
 		subframe_len = sizeof(struct ethhdr) + len;
 		padding = (4 - subframe_len) & 0x3;
-		remaining = skb->len - offset;
 
 		if (subframe_len > remaining)
 			return false;
@@ -825,7 +828,7 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
 {
 	unsigned int hlen = ALIGN(extra_headroom, 4);
 	struct sk_buff *frame = NULL;
-	int offset = 0, remaining;
+	int offset = 0;
 	struct {
 		struct ethhdr eth;
 		uint8_t flags;
@@ -839,10 +842,14 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
 		copy_len = sizeof(hdr);
 
 	while (!last) {
+		int remaining = skb->len - offset;
 		unsigned int subframe_len;
 		int len, mesh_len = 0;
 		u8 padding;
 
+		if (copy_len > remaining)
+			goto purge;
+
 		skb_copy_bits(skb, offset, &hdr, copy_len);
 		if (iftype == NL80211_IFTYPE_MESH_POINT)
 			mesh_len = __ieee80211_get_mesh_hdrlen(hdr.flags);
@@ -852,7 +859,6 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
 		padding = (4 - subframe_len) & 0x3;
 
 		/* the last MSDU has no padding */
-		remaining = skb->len - offset;
 		if (subframe_len > remaining)
 			goto purge;
 		/* mitigate A-MSDU aggregation injection attacks */
-- 
2.43.2