| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566 |
- From: Wen Gong <[email protected]>
- Date: Tue, 11 May 2021 20:02:53 +0200
- Subject: [PATCH] ath10k: drop fragments with multicast DA for PCIe
- Fragmentation is not used with multicast frames. Discard unexpected
- fragments with multicast DA. This fixes CVE-2020-26145.
- Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
- Cc: [email protected]
- Signed-off-by: Wen Gong <[email protected]>
- Signed-off-by: Jouni Malinen <[email protected]>
- Signed-off-by: Johannes Berg <[email protected]>
- ---
- --- a/drivers/net/wireless/ath/ath10k/htt_rx.c
- +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
- @@ -1768,6 +1768,16 @@ static u64 ath10k_htt_rx_h_get_pn(struct
- return pn;
- }
-
- +static bool ath10k_htt_rx_h_frag_multicast_check(struct ath10k *ar,
- + struct sk_buff *skb,
- + u16 offset)
- +{
- + struct ieee80211_hdr *hdr;
- +
- + hdr = (struct ieee80211_hdr *)(skb->data + offset);
- + return !is_multicast_ether_addr(hdr->addr1);
- +}
- +
- static bool ath10k_htt_rx_h_frag_pn_check(struct ath10k *ar,
- struct sk_buff *skb,
- u16 peer_id,
- @@ -1839,7 +1849,7 @@ static void ath10k_htt_rx_h_mpdu(struct
- bool is_decrypted;
- bool is_mgmt;
- u32 attention;
- - bool frag_pn_check = true;
- + bool frag_pn_check = true, multicast_check = true;
-
- if (skb_queue_empty(amsdu))
- return;
- @@ -1946,13 +1956,20 @@ static void ath10k_htt_rx_h_mpdu(struct
- 0,
- enctype);
-
- - if (!frag_pn_check) {
- - /* Discard the fragment with invalid PN */
- + if (frag)
- + multicast_check = ath10k_htt_rx_h_frag_multicast_check(ar,
- + msdu,
- + 0);
- +
- + if (!frag_pn_check || !multicast_check) {
- + /* Discard the fragment with invalid PN or multicast DA
- + */
- temp = msdu->prev;
- __skb_unlink(msdu, amsdu);
- dev_kfree_skb_any(msdu);
- msdu = temp;
- frag_pn_check = true;
- + multicast_check = true;
- continue;
- }
-
|
