diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2008-10-07 13:31:17 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2008-10-14 20:47:15 -0400 |
commit | 09914813da37f1ee9d77998a0701629cfbbd98f4 (patch) | |
tree | 6577e7769862378abf62e6867a54b71da1dc12c6 | |
parent | 3eadd751eb8cb8090a65b4fa72c6360fd1aa5f06 (diff) |
mac80211: fix HT information element parsing
There's no checking that the HT IEs are of the right length
which can be used by an attacker to cause an out-of-bounds
access by sending a too short HT information/capability IE.
Fix it by simply pretending those IEs didn't exist when too
short.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | net/mac80211/ieee80211_i.h | 6 | ||||
-rw-r--r-- | net/mac80211/mlme.c | 3 | ||||
-rw-r--r-- | net/mac80211/util.c | 8 |
3 files changed, 6 insertions, 11 deletions
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 8025b294588b..156e42a003ae 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h | |||
@@ -816,8 +816,8 @@ struct ieee802_11_elems { | |||
816 | u8 *ext_supp_rates; | 816 | u8 *ext_supp_rates; |
817 | u8 *wmm_info; | 817 | u8 *wmm_info; |
818 | u8 *wmm_param; | 818 | u8 *wmm_param; |
819 | u8 *ht_cap_elem; | 819 | struct ieee80211_ht_cap *ht_cap_elem; |
820 | u8 *ht_info_elem; | 820 | struct ieee80211_ht_addt_info *ht_info_elem; |
821 | u8 *mesh_config; | 821 | u8 *mesh_config; |
822 | u8 *mesh_id; | 822 | u8 *mesh_id; |
823 | u8 *peer_link; | 823 | u8 *peer_link; |
@@ -844,8 +844,6 @@ struct ieee802_11_elems { | |||
844 | u8 ext_supp_rates_len; | 844 | u8 ext_supp_rates_len; |
845 | u8 wmm_info_len; | 845 | u8 wmm_info_len; |
846 | u8 wmm_param_len; | 846 | u8 wmm_param_len; |
847 | u8 ht_cap_elem_len; | ||
848 | u8 ht_info_elem_len; | ||
849 | u8 mesh_config_len; | 847 | u8 mesh_config_len; |
850 | u8 mesh_id_len; | 848 | u8 mesh_id_len; |
851 | u8 peer_link_len; | 849 | u8 peer_link_len; |
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 49f86fa56bff..87665d7bb4f9 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c | |||
@@ -1348,10 +1348,8 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata, | |||
1348 | (ifsta->flags & IEEE80211_STA_WMM_ENABLED)) { | 1348 | (ifsta->flags & IEEE80211_STA_WMM_ENABLED)) { |
1349 | struct ieee80211_ht_bss_info bss_info; | 1349 | struct ieee80211_ht_bss_info bss_info; |
1350 | ieee80211_ht_cap_ie_to_ht_info( | 1350 | ieee80211_ht_cap_ie_to_ht_info( |
1351 | (struct ieee80211_ht_cap *) | ||
1352 | elems.ht_cap_elem, &sta->sta.ht_info); | 1351 | elems.ht_cap_elem, &sta->sta.ht_info); |
1353 | ieee80211_ht_addt_info_ie_to_ht_bss_info( | 1352 | ieee80211_ht_addt_info_ie_to_ht_bss_info( |
1354 | (struct ieee80211_ht_addt_info *) | ||
1355 | elems.ht_info_elem, &bss_info); | 1353 | elems.ht_info_elem, &bss_info); |
1356 | ieee80211_handle_ht(local, 1, &sta->sta.ht_info, &bss_info); | 1354 | ieee80211_handle_ht(local, 1, &sta->sta.ht_info, &bss_info); |
1357 | } | 1355 | } |
@@ -1709,7 +1707,6 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, | |||
1709 | struct ieee80211_ht_bss_info bss_info; | 1707 | struct ieee80211_ht_bss_info bss_info; |
1710 | 1708 | ||
1711 | ieee80211_ht_addt_info_ie_to_ht_bss_info( | 1709 | ieee80211_ht_addt_info_ie_to_ht_bss_info( |
1712 | (struct ieee80211_ht_addt_info *) | ||
1713 | elems.ht_info_elem, &bss_info); | 1710 | elems.ht_info_elem, &bss_info); |
1714 | changed |= ieee80211_handle_ht(local, 1, &conf->ht_conf, | 1711 | changed |= ieee80211_handle_ht(local, 1, &conf->ht_conf, |
1715 | &bss_info); | 1712 | &bss_info); |
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index f32561ec224c..cee4884b9d06 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c | |||
@@ -529,12 +529,12 @@ void ieee802_11_parse_elems(u8 *start, size_t len, | |||
529 | elems->ext_supp_rates_len = elen; | 529 | elems->ext_supp_rates_len = elen; |
530 | break; | 530 | break; |
531 | case WLAN_EID_HT_CAPABILITY: | 531 | case WLAN_EID_HT_CAPABILITY: |
532 | elems->ht_cap_elem = pos; | 532 | if (elen >= sizeof(struct ieee80211_ht_cap)) |
533 | elems->ht_cap_elem_len = elen; | 533 | elems->ht_cap_elem = (void *)pos; |
534 | break; | 534 | break; |
535 | case WLAN_EID_HT_EXTRA_INFO: | 535 | case WLAN_EID_HT_EXTRA_INFO: |
536 | elems->ht_info_elem = pos; | 536 | if (elen >= sizeof(struct ieee80211_ht_addt_info)) |
537 | elems->ht_info_elem_len = elen; | 537 | elems->ht_info_elem = (void *)pos; |
538 | break; | 538 | break; |
539 | case WLAN_EID_MESH_ID: | 539 | case WLAN_EID_MESH_ID: |
540 | elems->mesh_id = pos; | 540 | elems->mesh_id = pos; |