diff options
author | Johannes Berg <johannes.berg@intel.com> | 2020-10-09 13:25:41 +0200 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2020-10-30 10:03:48 +0100 |
commit | 14f46c1e5108696ec1e5a129e838ecedf108c7bf (patch) | |
tree | 334bdf85f2235c5260ba7b1f5c97d96b6ca852bc /fs | |
parent | mac80211: fix regression where EAPOL frames were sent in plaintext (diff) | |
download | linux-14f46c1e5108696ec1e5a129e838ecedf108c7bf.tar.xz linux-14f46c1e5108696ec1e5a129e838ecedf108c7bf.zip |
mac80211: fix use of skb payload instead of header
When ieee80211_skb_resize() is called from ieee80211_build_hdr()
the skb has no 802.11 header yet, in fact it consist only of the
payload as the ethernet frame is removed. As such, we're using
the payload data for ieee80211_is_mgmt(), which is of course
completely wrong. This didn't really hurt us because these are
always data frames, so we could only have added more tailroom
than we needed if we determined it was a management frame and
sdata->crypto_tx_tailroom_needed_cnt was false.
However, syzbot found that of course there need not be any payload,
so we're using at best uninitialized memory for the check.
Fix this to pass explicitly the kind of frame that we have instead
of checking there, by replacing the "bool may_encrypt" argument
with an argument that can carry the three possible states - it's
not going to be encrypted, it's a management frame, or it's a data
frame (and then we check sdata->crypto_tx_tailroom_needed_cnt).
Reported-by: syzbot+32fd1a1bfe355e93f1e2@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20201009132538.e1fd7f802947.I799b288466ea2815f9d4c84349fae697dca2f189@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'fs')
0 files changed, 0 insertions, 0 deletions