diff options
| author | Jouni Malinen <j@w1.fi> | 2013-11-02 09:57:36 -0400 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2013-11-25 10:50:01 -0500 |
| commit | 76a56eb3b0fe82f77b1fb604dbf4a408e6ad7ba2 (patch) | |
| tree | 34753264772055a42bf2c23626ff14eb19a4edcf /drivers/net/wireless/mac80211_hwsim.c | |
| parent | 2d3db210860f1df099a35b1dd54cca35454e0361 (diff) | |
mac80211_hwsim: Fix radiotap header for ACK frames
The earlier addition of rt_tsft to struct hwsim_radiotap_hdr updated
only mac80211_hwsim_monitor_tx() to fill in the new field.
mac80211_hwsim_monitor_ack() did not set the rt_tsft field and as such,
leaked eight bytes of kernel memory to user space. In addition, the
resulting radiotap header is invalid since the field offsets do not
match. Fix these issues by defining a separate radiotap header structure
for the ACK frame case which does not use all the fields.
Signed-off-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'drivers/net/wireless/mac80211_hwsim.c')
| -rw-r--r-- | drivers/net/wireless/mac80211_hwsim.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 9df7bc91a26f..3df400c593a1 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c | |||
| @@ -383,6 +383,14 @@ struct hwsim_radiotap_hdr { | |||
| 383 | __le16 rt_chbitmask; | 383 | __le16 rt_chbitmask; |
| 384 | } __packed; | 384 | } __packed; |
| 385 | 385 | ||
| 386 | struct hwsim_radiotap_ack_hdr { | ||
| 387 | struct ieee80211_radiotap_header hdr; | ||
| 388 | u8 rt_flags; | ||
| 389 | u8 pad; | ||
| 390 | __le16 rt_channel; | ||
| 391 | __le16 rt_chbitmask; | ||
| 392 | } __packed; | ||
| 393 | |||
| 386 | /* MAC80211_HWSIM netlinf family */ | 394 | /* MAC80211_HWSIM netlinf family */ |
| 387 | static struct genl_family hwsim_genl_family = { | 395 | static struct genl_family hwsim_genl_family = { |
| 388 | .id = GENL_ID_GENERATE, | 396 | .id = GENL_ID_GENERATE, |
| @@ -500,7 +508,7 @@ static void mac80211_hwsim_monitor_ack(struct ieee80211_channel *chan, | |||
| 500 | const u8 *addr) | 508 | const u8 *addr) |
| 501 | { | 509 | { |
| 502 | struct sk_buff *skb; | 510 | struct sk_buff *skb; |
| 503 | struct hwsim_radiotap_hdr *hdr; | 511 | struct hwsim_radiotap_ack_hdr *hdr; |
| 504 | u16 flags; | 512 | u16 flags; |
| 505 | struct ieee80211_hdr *hdr11; | 513 | struct ieee80211_hdr *hdr11; |
| 506 | 514 | ||
| @@ -511,14 +519,14 @@ static void mac80211_hwsim_monitor_ack(struct ieee80211_channel *chan, | |||
| 511 | if (skb == NULL) | 519 | if (skb == NULL) |
| 512 | return; | 520 | return; |
| 513 | 521 | ||
| 514 | hdr = (struct hwsim_radiotap_hdr *) skb_put(skb, sizeof(*hdr)); | 522 | hdr = (struct hwsim_radiotap_ack_hdr *) skb_put(skb, sizeof(*hdr)); |
| 515 | hdr->hdr.it_version = PKTHDR_RADIOTAP_VERSION; | 523 | hdr->hdr.it_version = PKTHDR_RADIOTAP_VERSION; |
| 516 | hdr->hdr.it_pad = 0; | 524 | hdr->hdr.it_pad = 0; |
| 517 | hdr->hdr.it_len = cpu_to_le16(sizeof(*hdr)); | 525 | hdr->hdr.it_len = cpu_to_le16(sizeof(*hdr)); |
| 518 | hdr->hdr.it_present = cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | | 526 | hdr->hdr.it_present = cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | |
| 519 | (1 << IEEE80211_RADIOTAP_CHANNEL)); | 527 | (1 << IEEE80211_RADIOTAP_CHANNEL)); |
| 520 | hdr->rt_flags = 0; | 528 | hdr->rt_flags = 0; |
| 521 | hdr->rt_rate = 0; | 529 | hdr->pad = 0; |
| 522 | hdr->rt_channel = cpu_to_le16(chan->center_freq); | 530 | hdr->rt_channel = cpu_to_le16(chan->center_freq); |
| 523 | flags = IEEE80211_CHAN_2GHZ; | 531 | flags = IEEE80211_CHAN_2GHZ; |
| 524 | hdr->rt_chbitmask = cpu_to_le16(flags); | 532 | hdr->rt_chbitmask = cpu_to_le16(flags); |