diff options
author | Emmanuel Grumbach <emmanuel.grumbach@intel.com> | 2019-07-22 13:02:25 +0300 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2019-07-30 18:34:32 +0200 |
commit | 71b256f8f7a5c09810d2c3ed6165629c2cc0a652 (patch) | |
tree | b6855d953e722017be475e4b121871a9f59223a7 /drivers/net/wireless | |
parent | ba3224db78034435e9ff0247277cce7c7bb1756c (diff) | |
download | linux-stable-71b256f8f7a5c09810d2c3ed6165629c2cc0a652.tar.gz linux-stable-71b256f8f7a5c09810d2c3ed6165629c2cc0a652.tar.bz2 linux-stable-71b256f8f7a5c09810d2c3ed6165629c2cc0a652.zip |
iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment
Accessing the hdr of an skb that was consumed already isn't
a good idea.
First ask if the skb is a QoS packet, then keep that data
on stack, and then consume the skb.
This was spotted by KASAN.
Cc: stable@vger.kernel.org
Fixes: 08f7d8b69aaf ("iwlwifi: mvm: bring back mvm GSO code")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'drivers/net/wireless')
-rw-r--r-- | drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c index a3e5d88f1c07..6ac114a393cc 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c @@ -831,6 +831,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *skb, unsigned int num_subframes, unsigned int tcp_payload_len; unsigned int mss = skb_shinfo(skb)->gso_size; bool ipv4 = (skb->protocol == htons(ETH_P_IP)); + bool qos = ieee80211_is_data_qos(hdr->frame_control); u16 ip_base_id = ipv4 ? ntohs(ip_hdr(skb)->id) : 0; skb_shinfo(skb)->gso_size = num_subframes * mss; @@ -864,7 +865,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *skb, unsigned int num_subframes, if (tcp_payload_len > mss) { skb_shinfo(tmp)->gso_size = mss; } else { - if (ieee80211_is_data_qos(hdr->frame_control)) { + if (qos) { u8 *qc; if (ipv4) |