| 12345678910111213141516171819202122232425262728293031323334353637383940 |
- From: Wen Gong <[email protected]>
- Date: Tue, 11 May 2021 20:02:54 +0200
- Subject: [PATCH] ath10k: drop fragments with multicast DA for SDIO
- Fragmentation is not used with multicast frames. Discard unexpected
- fragments with multicast DA. This fixes CVE-2020-26145.
- Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
- Cc: [email protected]
- Signed-off-by: Wen Gong <[email protected]>
- Signed-off-by: Jouni Malinen <[email protected]>
- Signed-off-by: Johannes Berg <[email protected]>
- ---
- --- a/drivers/net/wireless/ath/ath10k/htt_rx.c
- +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
- @@ -2617,6 +2617,13 @@ static bool ath10k_htt_rx_proc_rx_frag_i
- rx_desc = (struct htt_hl_rx_desc *)(skb->data + tot_hdr_len);
- rx_desc_info = __le32_to_cpu(rx_desc->info);
-
- + hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len);
- +
- + if (is_multicast_ether_addr(hdr->addr1)) {
- + /* Discard the fragment with multicast DA */
- + goto err;
- + }
- +
- if (!MS(rx_desc_info, HTT_RX_DESC_HL_INFO_ENCRYPTED)) {
- spin_unlock_bh(&ar->data_lock);
- return ath10k_htt_rx_proc_rx_ind_hl(htt, &resp->rx_ind_hl, skb,
- @@ -2624,8 +2631,6 @@ static bool ath10k_htt_rx_proc_rx_frag_i
- HTT_RX_NON_TKIP_MIC);
- }
-
- - hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len);
- -
- if (ieee80211_has_retry(hdr->frame_control))
- goto err;
-
|
