diff options
author | Thomas Pedersen <thomas@adapt-ip.com> | 2020-09-08 12:03:05 -0700 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2020-09-18 12:30:57 +0200 |
commit | 1d47f1198d58117735edc6b8b1a687db47883f1e (patch) | |
tree | e0baff5ba0d71f0ecc4905797e351b96a939c97c /net/wireless | |
parent | 68dbad8c656960292142832c3b44c63db9831d67 (diff) |
nl80211: correctly validate S1G beacon head
The S1G beacon has a different header size than regular
beacons, so adjust the beacon head validator.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Link: https://lore.kernel.org/r/20200908190323.15814-5-thomas@adapt-ip.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless')
-rw-r--r-- | net/wireless/nl80211.c | 17 | ||||
-rw-r--r-- | net/wireless/util.c | 5 |
2 files changed, 18 insertions, 4 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 7da4d84bcc1a..5d9d51cfc653 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -209,14 +209,23 @@ static int validate_beacon_head(const struct nlattr *attr, unsigned int len = nla_len(attr); const struct element *elem; const struct ieee80211_mgmt *mgmt = (void *)data; - unsigned int fixedlen = offsetof(struct ieee80211_mgmt, - u.beacon.variable); + bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control); + unsigned int fixedlen, hdrlen; + + if (s1g_bcn) { + fixedlen = offsetof(struct ieee80211_ext, + u.s1g_beacon.variable); + hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon); + } else { + fixedlen = offsetof(struct ieee80211_mgmt, + u.beacon.variable); + hdrlen = offsetof(struct ieee80211_mgmt, u.beacon); + } if (len < fixedlen) goto err; - if (ieee80211_hdrlen(mgmt->frame_control) != - offsetof(struct ieee80211_mgmt, u.beacon)) + if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen) goto err; data += fixedlen; diff --git a/net/wireless/util.c b/net/wireless/util.c index 4a9ff9ef513f..49e7c0cbbf62 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -399,6 +399,11 @@ unsigned int __attribute_const__ ieee80211_hdrlen(__le16 fc) { unsigned int hdrlen = 24; + if (ieee80211_is_ext(fc)) { + hdrlen = 4; + goto out; + } + if (ieee80211_is_data(fc)) { if (ieee80211_has_a4(fc)) hdrlen = 30; |