diff options
author | Jouni Malinen <jouni@codeaurora.org> | 2018-12-05 11:55:54 +0100 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2018-12-05 12:51:29 +0100 |
commit | 312ca38ddda64bac6513ec68e0ac3789b4eb44dc (patch) | |
tree | 4e5f65fd4521b239e3179233c26c944b6639e323 /net/wireless | |
parent | mac80211: ignore NullFunc frames in the duplicate detection (diff) | |
download | linux-312ca38ddda64bac6513ec68e0ac3789b4eb44dc.tar.xz linux-312ca38ddda64bac6513ec68e0ac3789b4eb44dc.zip |
cfg80211: Fix busy loop regression in ieee80211_ie_split_ric()
This function was modified to support the information element extension
case (WLAN_EID_EXTENSION) in a manner that would result in an infinite
loop when going through set of IEs that include WLAN_EID_RIC_DATA and
contain an IE that is in the after_ric array. The only place where this
can currently happen is in mac80211 ieee80211_send_assoc() where
ieee80211_ie_split_ric() is called with after_ric[].
This can be triggered by valid data from user space nl80211
association/connect request (i.e., requiring GENL_UNS_ADMIN_PERM). The
only known application having an option to include WLAN_EID_RIC_DATA in
these requests is wpa_supplicant and it had a bug that prevented this
specific contents from being used (and because of that, not triggering
this kernel bug in an automated test case ap_ft_ric) and now that this
bug is fixed, it has a workaround to avoid this kernel issue.
WLAN_EID_RIC_DATA is currently used only for testing purposes, so this
does not cause significant harm for production use cases.
Fixes: 2512b1b18d07 ("mac80211: extend ieee80211_ie_split to support EXTENSION")
Cc: stable@vger.kernel.org
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless')
-rw-r--r-- | net/wireless/util.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/wireless/util.c b/net/wireless/util.c index ef14d80ca03e..d473bd135da8 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -1421,6 +1421,8 @@ size_t ieee80211_ie_split_ric(const u8 *ies, size_t ielen, ies[pos + ext], ext == 2)) pos = skip_ie(ies, ielen, pos); + else + break; } } else { pos = skip_ie(ies, ielen, pos); |