From patchwork Sun Oct 16 06:46:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 2987 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp906752wrs; Sat, 15 Oct 2022 23:47:42 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7hihB97gU/IKen8wACngBKW4il1XT4qsCQ7QvW5tXJXRAbQINDepXyi+bL363RaL6HYpXd X-Received: by 2002:a05:6402:51d1:b0:45c:1ba1:b7e7 with SMTP id r17-20020a05640251d100b0045c1ba1b7e7mr4995550edd.57.1665902861772; Sat, 15 Oct 2022 23:47:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665902861; cv=none; d=google.com; s=arc-20160816; b=uwneS94jHDmZe/JGwCVfEPnxhxN77fahnGvbuvAJCHHN3x07cPGa79ufb222pqn/Br BOUM7o1fGXwmsT9rV/mGe98iGw2fzpTygzpHxyLgoRXMrufduQMQXtcrvtDxorcPGQCJ GHvC4bLIfaKa6saNCN5d74xQW5/bYvZbGwJ9hyrwixSmeYyKMxstY8uRwEnnDLUiUXYf gL+mqTcn/zdk1hEJGA/xFs9d2qbYZF5QBnrBQP2oWSJiIds/NAqjAhHWWI21z6+TySYd noAY1Sa42ORVkakwgfbDAp+zgK8zVGnzr936oBnuObvnow/SpvyboGsih8mDy0XsuD15 sDiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+hPwnrnHicXd1zxS8U73c8tvnsGMef+Os5VgckMTSQk=; b=Wuqeb/4biwIlW8BoEuLWKrTaqbbr4uVdI4nDsSEw2xYgYqpUpDHUCSU/cv+DgT2seq wpXvEmuuCmu/PW1XhIuUxxzCslp5IjqZ5Yo0DOEkalXYKBfWppmrLenYCgoy9DIzWtJx Sy7FggfKjuoohV0pJTp9yZfFwkWPS2n70DkCajDu6x1xmwg/Wop1y2yGE2Fr0jeexxuK O+ISKuft13OsJIfT1CGk+9KJHklJYjneLn4lFsLu6vka6V7Nrr4vnPtYkoQ8PasF4q9f g9D9+7UJsl1vpdWpE9CX9yjjPcO5zcaGUg3J6vWJ57zldywarpZL4CiEEvrQlrOEbPYQ IKMg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Sj8nArqI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n8-20020a05640205c800b004590ae88029si7479035edx.610.2022.10.15.23.47.17; Sat, 15 Oct 2022 23:47:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Sj8nArqI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229824AbiJPGqI (ORCPT + 99 others); Sun, 16 Oct 2022 02:46:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229862AbiJPGqB (ORCPT ); Sun, 16 Oct 2022 02:46:01 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C173399FF; Sat, 15 Oct 2022 23:45:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6FB9AB80B72; Sun, 16 Oct 2022 06:45:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C0AC6C433C1; Sun, 16 Oct 2022 06:45:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902751; bh=NrfyXHsZpZD8Ef+zqhd1NxJ+M4kfoBiBROPTAgZ+V6I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Sj8nArqID4GJ6uyizgKeKLWXp3ZFt33ezPu9PfZBajRG1sQFAgNbDs1vzD9NGJU5J NNS62U7ix+H+jUnCGJejdirugmNa8r9ULNlAoz8R5vonh8odOU5X2vVuuRWJ231TkJ X2wk8ZQAaPBzAjYwCOxqXd6EJuvr6Sj4P5YQELhw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.4 2/4] mac80211: mlme: find auth challenge directly Date: Sun, 16 Oct 2022 08:46:24 +0200 Message-Id: <20221016064454.404903798@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.327821011@linuxfoundation.org> References: <20221016064454.327821011@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746825758826276073?= X-GMAIL-MSGID: =?utf-8?q?1746825758826276073?= From: Johannes Berg There's no need to parse all elements etc. just to find the authentication challenge - use cfg80211_find_elem() instead. This also allows us to remove WLAN_EID_CHALLENGE handling from the element parsing entirely. Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/ieee80211_i.h | 2 -- net/mac80211/mlme.c | 11 ++++++----- net/mac80211/util.c | 4 ---- 3 files changed, 6 insertions(+), 11 deletions(-) --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1460,7 +1460,6 @@ struct ieee802_11_elems { const u8 *supp_rates; const u8 *ds_params; const struct ieee80211_tim_ie *tim; - const u8 *challenge; const u8 *rsn; const u8 *erp_info; const u8 *ext_supp_rates; @@ -1507,7 +1506,6 @@ struct ieee802_11_elems { u8 ssid_len; u8 supp_rates_len; u8 tim_len; - u8 challenge_len; u8 rsn_len; u8 ext_supp_rates_len; u8 wmm_info_len; --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -2829,14 +2829,14 @@ static void ieee80211_auth_challenge(str { struct ieee80211_local *local = sdata->local; struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data; + const struct element *challenge; u8 *pos; - struct ieee802_11_elems elems; u32 tx_flags = 0; pos = mgmt->u.auth.variable; - ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, auth_data->bss->bssid); - if (!elems.challenge) + challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos, + len - (pos - (u8 *)mgmt)); + if (!challenge) return; auth_data->expected_transaction = 4; drv_mgd_prepare_tx(sdata->local, sdata, 0); @@ -2844,7 +2844,8 @@ static void ieee80211_auth_challenge(str tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS | IEEE80211_TX_INTFL_MLME_CONN_TX; ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0, - elems.challenge - 2, elems.challenge_len + 2, + (void *)challenge, + challenge->datalen + sizeof(*challenge), auth_data->bss->bssid, auth_data->bss->bssid, auth_data->key, auth_data->key_len, auth_data->key_idx, tx_flags); --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1006,10 +1006,6 @@ _ieee802_11_parse_elems_crc(const u8 *st } else elem_parse_failed = true; break; - case WLAN_EID_CHALLENGE: - elems->challenge = pos; - elems->challenge_len = elen; - break; case WLAN_EID_VENDOR_SPECIFIC: if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && pos[2] == 0xf2) { From patchwork Sun Oct 16 06:46:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 2988 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp907061wrs; Sat, 15 Oct 2022 23:49:30 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6w9s0XlGOf8Y8/UbpWtSsWRJU8KRtxWZB5Uh6qZWUVwaadkE3ERbWe/vZ7uOzAmv94zSpx X-Received: by 2002:aa7:c58a:0:b0:459:1511:6cff with SMTP id g10-20020aa7c58a000000b0045915116cffmr5164568edq.27.1665902969634; Sat, 15 Oct 2022 23:49:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665902969; cv=none; d=google.com; s=arc-20160816; b=GbEn0KRgCU3KFklG96bV459sDQKiF0HNtfYA3FuGCC5QPD/Vb5NBoLKKckkDcAwjxF lc2+khWzo/T+3htmZseh3H448hsBADwvmaf8txDLEDcJrYo51tWFnZk9FddqTAW21dr/ UYlbOxFM0tlp1O9qyZI27zV3C4mrOFxHDXrCvNZ1dmttZP/Mb0xZD88U6wasFESLfAY/ uA9IzjC/a4S0JHfO4TNYe2QSiU7QRQpCpvfTEx8icKRUbuE9n02ONPFdcLZ41fYfbouR 9Nczr/s3A7ZrcpttwhlfD+aM8XFJTHH1osPYgKYa9uvuBC6bXkRbq9de+31Qx2a+V+Zb txuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LJ6znEr2mQQvBYS393KmG3Muet9ZoVxi+MweAndiCQM=; b=KgNVLxmn+QZviD84UkyNHAHPztGu2BnO4YH+qoLCm7VQwP2E+5GkwdR3QaCpt7b8p9 J/lZAkHrsDv4FptRkscu6AEk987q/lBcX/Fv21lbEX9SLQngLwaWuN9oasvpke8qjOOY wb2FU1KxhXV3I7uQEZHkea7uphQDeCqYttpkyY0Ti3XUwVuqkuI3n9dAYZQEgBe3DpnL J8hc/eW68xI0n/oyHRgQsSKq04T0pOOn0PHfH1GuSzd4sUYzBd1XuHdiH+XQYcMiLkyn 9lYrnCnnwjfJGUxkBDuOw236diAeKK0RDoa+sSeIvbFN0q74pg4ejJ3d/ExeRxhQfYKd Roxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TrBWzdii; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j27-20020a170906279b00b0078e0324ee54si5144223ejc.490.2022.10.15.23.49.03; Sat, 15 Oct 2022 23:49:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TrBWzdii; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229830AbiJPGqO (ORCPT + 99 others); Sun, 16 Oct 2022 02:46:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39240 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229882AbiJPGqD (ORCPT ); Sun, 16 Oct 2022 02:46:03 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 396CC3AE5B; Sat, 15 Oct 2022 23:45:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 25C52B80B77; Sun, 16 Oct 2022 06:45:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 85BE2C433D7; Sun, 16 Oct 2022 06:45:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902753; bh=OPUq4AaBA6cqzgAQsUxgbbuBNbAZzLY8pUyPprPooYQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TrBWzdiiQogsYpzs5qRmXDMkEkcP0kEivjac3mPKa0gWoqch8OHf+wEk1wTgYWU3H 8LzYPICFHnfKcNBF1hoYB/p4XD5EO0eBwedAuZESJ4XnujQbLx5l4y69opLVi63VDA ocCHf6Eb+taj7IAgSbmGzYoNwRHQTNjdXIwk+4yQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.4 3/4] wifi: mac80211: dont parse mbssid in assoc response Date: Sun, 16 Oct 2022 08:46:25 +0200 Message-Id: <20221016064454.438611868@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.327821011@linuxfoundation.org> References: <20221016064454.327821011@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746825872498557605?= X-GMAIL-MSGID: =?utf-8?q?1746825872498557605?= From: Johannes Berg This is simply not valid and simplifies the next commit. I'll make a separate patch for this in the current main tree as well. Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/mlme.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3224,7 +3224,7 @@ static bool ieee80211_assoc_success(stru pos = mgmt->u.assoc_resp.variable; ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, assoc_data->bss->bssid); + mgmt->bssid, NULL); if (!elems.supp_rates) { sdata_info(sdata, "no SuppRates element in AssocResp\n"); @@ -3576,7 +3576,7 @@ static void ieee80211_rx_mgmt_assoc_resp pos = mgmt->u.assoc_resp.variable; ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, assoc_data->bss->bssid); + mgmt->bssid, NULL); if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY && elems.timeout_int && From patchwork Sun Oct 16 06:46:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 2989 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp907626wrs; Sat, 15 Oct 2022 23:52:47 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4oTh7S2Sd9NsXi/uy/GMvFc4MTGmWGXJdfPSmyriMD+hSq9RWE34icujt1/NHXXj63t/dl X-Received: by 2002:a05:6402:14c9:b0:459:1a5b:6c47 with SMTP id f9-20020a05640214c900b004591a5b6c47mr5133080edx.426.1665903166989; Sat, 15 Oct 2022 23:52:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665903166; cv=none; d=google.com; s=arc-20160816; b=lBA+Lj2EjcFE8a1Pr9rOO+Sw6lcDpiZH8mg3kNbSJXreDoxrHrBIa6P1K6kpwe3XHX ILc+i6dMPJHyr18KEciBU3XhnWE27YcSffqW4QHehwRj4f53pxDBRzWBefGZmlyZa/La vvSYlJ6Ci23hehFPhI7LDiUR9Gw9msty74g3bTgvEOVI5+kJPO56AmJox3LJU5b9Osi+ KWEXl3L6he1bemepz1twr0qJH6KTVL3zILgKiRBgkM7AkOnQNcN/rNN9SgJTKx7dNGjn TByU3Qs6nEZORD3UG/jjrrvdgCV9wmv6mAWxsRP/SXgsSFt4XftMQfLypzH1zBCeptMv mlBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=SIX7kD8FsczY7baGrPuo9Sg16cp4HXC1QfK9pr6uDEc=; b=FDO6/k3yZ5ZPB385y+w0pr3hYJBMLWFaeYu76Px+evSd6sT0YqznjDmesXoWbDX9PM 5k1SI29Gea/PQJ4ISuizizanFz7NzyDAR3aGAVDbpDKvgBk/WRU9jYIr53BFpj4Q4vzn ho24ivLw8ii2aAIyegWNPCFZg8Y6VQZMGcgRwwoxh8ZWdHRmz9XiO82KadJsTdZRWxjm Bb1hmqsLkD2nCigyWxY2gwIi6uA5vFynWZXlNeZo6O9DQ2qp4AxB83zGJKFEYYrQSueg lbx9e/lHEc/Eso/5wGHmtziiBUNRFKT+b4zxJ7EgyRi+BUSayenEp+XBz8Dss15aPLbL eIng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=V1H07Bli; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gt9-20020a1709072d8900b00782627f37d6si7538493ejc.778.2022.10.15.23.52.20; Sat, 15 Oct 2022 23:52:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=V1H07Bli; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229850AbiJPGqb (ORCPT + 99 others); Sun, 16 Oct 2022 02:46:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39528 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229849AbiJPGqU (ORCPT ); Sun, 16 Oct 2022 02:46:20 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 47CAF3B71B; Sat, 15 Oct 2022 23:46:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0E43AB80B65; Sun, 16 Oct 2022 06:45:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6585CC4314A; Sun, 16 Oct 2022 06:45:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902756; bh=M6vEigbkIMDybP7BCXxNZ0YbyifLUWjivpBzJbcRlhQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=V1H07BliPDOux2/fxBQr+qy/cmkDBuFdRNE3UnJpCZbgnTIueY0b67vrKw3lLUo8f u10oQk92fvdlJlcTLvpIfqgAWyU78cHkiGBntopDPfEBjEIwec8qbz4BbkizefNEGh 1aNpLfcVVlxmIdlyub4t0LrZBG6fzU6IUKBIih1E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ilan Peer , Kees Cook , Johannes Berg Subject: [PATCH 5.4 4/4] wifi: mac80211: fix MBSSID parsing use-after-free Date: Sun, 16 Oct 2022 08:46:26 +0200 Message-Id: <20221016064454.478100196@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.327821011@linuxfoundation.org> References: <20221016064454.327821011@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746826079397076720?= X-GMAIL-MSGID: =?utf-8?q?1746826079397076720?= From: Johannes Berg Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. This is a different version of the commit, changed to store the non-transmitted profile in the elems, and freeing it in the few places where it's relevant, since that is only the case when the last argument for parsing (the non-tx BSSID) is non-NULL. When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed. Fix this by not allocating the scratch buffer separately but as part of the returned structure instead, that way, there are no lifetime issues with it. The scratch buffer introduction as part of the returned data here is taken from MLO feature work done by Ilan. This fixes CVE-2022-42719. Fixes: 5023b14cf4df ("mac80211: support profile split between elements") Co-developed-by: Ilan Peer Signed-off-by: Ilan Peer Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/ieee80211_i.h | 2 ++ net/mac80211/mlme.c | 6 +++++- net/mac80211/scan.c | 2 ++ net/mac80211/util.c | 7 ++++++- 4 files changed, 15 insertions(+), 2 deletions(-) --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1519,6 +1519,8 @@ struct ieee802_11_elems { u8 country_elem_len; u8 bssid_index_len; + void *nontx_profile; + /* whether a parse error occurred while retrieving these elements */ bool parse_error; }; --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3299,6 +3299,7 @@ static bool ieee80211_assoc_success(stru sdata_info(sdata, "AP bug: VHT operation missing from AssocResp\n"); } + kfree(bss_elems.nontx_profile); } /* @@ -3883,6 +3884,7 @@ static void ieee80211_rx_mgmt_beacon(str ifmgd->assoc_data->timeout = jiffies; ifmgd->assoc_data->timeout_started = true; run_again(sdata, ifmgd->assoc_data->timeout); + kfree(elems.nontx_profile); return; } @@ -4050,7 +4052,7 @@ static void ieee80211_rx_mgmt_beacon(str ieee80211_report_disconnect(sdata, deauth_buf, sizeof(deauth_buf), true, WLAN_REASON_DEAUTH_LEAVING); - return; + goto free; } if (sta && elems.opmode_notif) @@ -4065,6 +4067,8 @@ static void ieee80211_rx_mgmt_beacon(str elems.cisco_dtpc_elem); ieee80211_bss_info_change_notify(sdata, changed); +free: + kfree(elems.nontx_profile); } void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata, --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -216,6 +216,8 @@ ieee80211_bss_info_update(struct ieee802 rx_status, beacon); } + kfree(elems.nontx_profile); + return bss; } --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1363,6 +1363,11 @@ u32 ieee802_11_parse_elems_crc(const u8 cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, nontransmitted_profile, nontransmitted_profile_len); + if (!nontransmitted_profile_len) { + nontransmitted_profile_len = 0; + kfree(nontransmitted_profile); + nontransmitted_profile = NULL; + } } crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter, @@ -1392,7 +1397,7 @@ u32 ieee802_11_parse_elems_crc(const u8 offsetofend(struct ieee80211_bssid_index, dtim_count)) elems->dtim_count = elems->bssid_index->dtim_count; - kfree(nontransmitted_profile); + elems->nontx_profile = nontransmitted_profile; return crc; }