mac80211: add length check in ieee80211_is_robust_mgmt_frame()

A few places weren't checking that the frame passed to the function actually has enough data even though the function clearly documents it must have a payload byte. Make this safer by changing the function to take an skb and checking the length inside. The old version is preserved for now as the rtl* drivers use it and don't have a correct skb. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Johannes Berg <johannes.berg@intel.com> 2014-01-23 10:20:29 -0500
committer: Johannes Berg <johannes.berg@intel.com> 2014-02-04 15:58:07 -0500
commit: d8ca16db6bb23d03fcb794df44bae64ae976f27c (patch)
tree: f577a829374c0f9daba8bf70e1ea3d6ac107089c /net
parent: ae811e21df28deb4c2adab0a47fc3da4f56d777b (diff)
3 files changed, 11 insertions, 13 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index c24ca0d0f469..3b7a750ebc70 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -599,10 +599,10 @@ static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
 {
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
-        if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
+        if (is_multicast_ether_addr(hdr->addr1))
                return 0;
-        return ieee80211_is_robust_mgmt_frame(hdr);
+        return ieee80211_is_robust_mgmt_frame(skb);
 }
@@ -610,10 +610,10 @@ static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
 {
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
-        if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
+        if (!is_multicast_ether_addr(hdr->addr1))
                return 0;
-        return ieee80211_is_robust_mgmt_frame(hdr);
+        return ieee80211_is_robust_mgmt_frame(skb);
 }
@@ -626,7 +626,7 @@ static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
        if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
                return -1;
-        if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
+        if (!ieee80211_is_robust_mgmt_frame(skb))
                return -1; /* not a robust management frame */
        mmie = (struct ieee80211_mmie *)
@@ -1845,8 +1845,7 @@ static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
                 * having configured keys.
                 */
                if (unlikely(ieee80211_is_action(fc) && !rx->key &&
-                             ieee80211_is_robust_mgmt_frame(
+                             ieee80211_is_robust_mgmt_frame(rx->skb)))
-                                     (struct ieee80211_hdr *) rx->skb->data)))
                        return -EACCES;
        }
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index bb990ecfa655..07a7f38dc348 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -452,8 +452,7 @@ static int ieee80211_use_mfp(__le16 fc, struct sta_info *sta,
        if (sta == NULL || !test_sta_flag(sta, WLAN_STA_MFP))
                return 0;
-        if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *)
+        if (!ieee80211_is_robust_mgmt_frame(skb))
-                                            skb->data))
                return 0;
        return 1;
@@ -567,7 +566,7 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
                tx->key = key;
        else if (ieee80211_is_mgmt(hdr->frame_control) &&
                 is_multicast_ether_addr(hdr->addr1) &&
-                 ieee80211_is_robust_mgmt_frame(hdr) &&
+                 ieee80211_is_robust_mgmt_frame(tx->skb) &&
                 (key = rcu_dereference(tx->sdata->default_mgmt_key)))
                tx->key = key;
        else if (is_multicast_ether_addr(hdr->addr1) &&
@@ -582,12 +581,12 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
                tx->key = NULL;
        else if (tx->skb->protocol == tx->sdata->control_port_protocol)
                tx->key = NULL;
-        else if (ieee80211_is_robust_mgmt_frame(hdr) &&
+        else if (ieee80211_is_robust_mgmt_frame(tx->skb) &&
                 !(ieee80211_is_action(hdr->frame_control) &&
                   tx->sta && test_sta_flag(tx->sta, WLAN_STA_MFP)))
                tx->key = NULL;
        else if (ieee80211_is_mgmt(hdr->frame_control) &&
-                 !ieee80211_is_robust_mgmt_frame(hdr))
+                 !ieee80211_is_robust_mgmt_frame(tx->skb))
                tx->key = NULL;
        else {
                I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted);
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 4aed45c8ee3b..b8600e3c29c8 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -494,7 +494,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
        hdrlen = ieee80211_hdrlen(hdr->frame_control);
        if (!ieee80211_is_data(hdr->frame_control) &&
-            !ieee80211_is_robust_mgmt_frame(hdr))
+            !ieee80211_is_robust_mgmt_frame(skb))
                return RX_CONTINUE;
        data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -
author	Johannes Berg <johannes.berg@intel.com>	2014-01-23 10:20:29 -0500
committer	Johannes Berg <johannes.berg@intel.com>	2014-02-04 15:58:07 -0500
commit	d8ca16db6bb23d03fcb794df44bae64ae976f27c (patch)
tree	f577a829374c0f9daba8bf70e1ea3d6ac107089c /net
parent	ae811e21df28deb4c2adab0a47fc3da4f56d777b (diff)