summaryrefslogtreecommitdiffstats
path: root/net/wireless
diff options
context:
space:
mode:
authorThomas Pedersen <thomas@adapt-ip.com>2020-09-08 12:03:05 -0700
committerJohannes Berg <johannes.berg@intel.com>2020-09-18 12:30:57 +0200
commit1d47f1198d58117735edc6b8b1a687db47883f1e (patch)
treee0baff5ba0d71f0ecc4905797e351b96a939c97c /net/wireless
parent68dbad8c656960292142832c3b44c63db9831d67 (diff)
downloadlinux-1d47f1198d58117735edc6b8b1a687db47883f1e.tar.gz
linux-1d47f1198d58117735edc6b8b1a687db47883f1e.tar.bz2
linux-1d47f1198d58117735edc6b8b1a687db47883f1e.zip
nl80211: correctly validate S1G beacon head
The S1G beacon has a different header size than regular beacons, so adjust the beacon head validator. Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com> Link: https://lore.kernel.org/r/20200908190323.15814-5-thomas@adapt-ip.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless')
-rw-r--r--net/wireless/nl80211.c17
-rw-r--r--net/wireless/util.c5
2 files changed, 18 insertions, 4 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 7da4d84bcc1a..5d9d51cfc653 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -209,14 +209,23 @@ static int validate_beacon_head(const struct nlattr *attr,
unsigned int len = nla_len(attr);
const struct element *elem;
const struct ieee80211_mgmt *mgmt = (void *)data;
- unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
- u.beacon.variable);
+ bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
+ unsigned int fixedlen, hdrlen;
+
+ if (s1g_bcn) {
+ fixedlen = offsetof(struct ieee80211_ext,
+ u.s1g_beacon.variable);
+ hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
+ } else {
+ fixedlen = offsetof(struct ieee80211_mgmt,
+ u.beacon.variable);
+ hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
+ }
if (len < fixedlen)
goto err;
- if (ieee80211_hdrlen(mgmt->frame_control) !=
- offsetof(struct ieee80211_mgmt, u.beacon))
+ if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
goto err;
data += fixedlen;
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 4a9ff9ef513f..49e7c0cbbf62 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -399,6 +399,11 @@ unsigned int __attribute_const__ ieee80211_hdrlen(__le16 fc)
{
unsigned int hdrlen = 24;
+ if (ieee80211_is_ext(fc)) {
+ hdrlen = 4;
+ goto out;
+ }
+
if (ieee80211_is_data(fc)) {
if (ieee80211_has_a4(fc))
hdrlen = 30;