Commit 1d47f119 authored by Thomas Pedersen's avatar Thomas Pedersen Committed by Johannes Berg
Browse files

nl80211: correctly validate S1G beacon head 



The S1G beacon has a different header size than regular
beacons, so adjust the beacon head validator.

Signed-off-by: default avatarThomas Pedersen <thomas@adapt-ip.com>
Link: https://lore.kernel.org/r/20200908190323.15814-5-thomas@adapt-ip.com


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 68dbad8c

net/wireless/nl80211.c

+13 −4
Original line number Diff line number Diff line
@@ -209,14 +209,23 @@ static int validate_beacon_head(const struct nlattr *attr, 
	unsigned int len = nla_len(attr);

	const struct element *elem;

	const struct ieee80211_mgmt *mgmt = (void *)data;

	unsigned int fixedlen = offsetof(struct ieee80211_mgmt,

	bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);

	unsigned int fixedlen, hdrlen;



	if (s1g_bcn) {

		fixedlen = offsetof(struct ieee80211_ext,

				    u.s1g_beacon.variable);

		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);

	} else {

		fixedlen = offsetof(struct ieee80211_mgmt,

				    u.beacon.variable);

		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);

	}



	if (len < fixedlen)

		goto err;



	if (ieee80211_hdrlen(mgmt->frame_control) !=

	    offsetof(struct ieee80211_mgmt, u.beacon))

	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)

		goto err;



	data += fixedlen;

net/wireless/util.c

+5 −0
Original line number Diff line number Diff line
@@ -399,6 +399,11 @@ unsigned int __attribute_const__ ieee80211_hdrlen(__le16 fc) 
{

	unsigned int hdrlen = 24;



	if (ieee80211_is_ext(fc)) {

		hdrlen = 4;

		goto out;

	}



	if (ieee80211_is_data(fc)) {

		if (ieee80211_has_a4(fc))

			hdrlen = 30;

CRA Git | Maintained and supported by SUSTech CRA and CCSE