Commit d55aa5e1 authored by Felix Fietkau's avatar Felix Fietkau

mt76: mt7603: fix input validation issues for powersave-filtered frames

Before extracting the tid out of the packet, check if it was qos-data.
Only accept tid values 0-7
Also, avoid accepting the hardware queue as skb queue mapping, it could
lead to an overrun. Instead, derive the hardware queue from the tid number,
in order to avoid issues with packets being filtered multiple times.
This also fixes a mismatch between hardware and software queue indexes.
Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
parent c99dc3c1
...@@ -30,6 +30,16 @@ mt7603_init_tx_queue(struct mt7603_dev *dev, struct mt76_sw_queue *q, ...@@ -30,6 +30,16 @@ mt7603_init_tx_queue(struct mt7603_dev *dev, struct mt76_sw_queue *q,
static void static void
mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb) mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb)
{ {
static const u8 tid_to_ac[8] = {
IEEE80211_AC_BE,
IEEE80211_AC_BK,
IEEE80211_AC_BK,
IEEE80211_AC_BE,
IEEE80211_AC_VI,
IEEE80211_AC_VI,
IEEE80211_AC_VO,
IEEE80211_AC_VO
};
__le32 *txd = (__le32 *)skb->data; __le32 *txd = (__le32 *)skb->data;
struct ieee80211_hdr *hdr; struct ieee80211_hdr *hdr;
struct ieee80211_sta *sta; struct ieee80211_sta *sta;
...@@ -38,7 +48,7 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb) ...@@ -38,7 +48,7 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb)
void *priv; void *priv;
int idx; int idx;
u32 val; u32 val;
u8 tid; u8 tid = 0;
if (skb->len < MT_TXD_SIZE + sizeof(struct ieee80211_hdr)) if (skb->len < MT_TXD_SIZE + sizeof(struct ieee80211_hdr))
goto free; goto free;
...@@ -56,15 +66,16 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb) ...@@ -56,15 +66,16 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb)
priv = msta = container_of(wcid, struct mt7603_sta, wcid); priv = msta = container_of(wcid, struct mt7603_sta, wcid);
val = le32_to_cpu(txd[0]); val = le32_to_cpu(txd[0]);
skb_set_queue_mapping(skb, FIELD_GET(MT_TXD0_Q_IDX, val));
val &= ~(MT_TXD0_P_IDX | MT_TXD0_Q_IDX); val &= ~(MT_TXD0_P_IDX | MT_TXD0_Q_IDX);
val |= FIELD_PREP(MT_TXD0_Q_IDX, MT_TX_HW_QUEUE_MGMT); val |= FIELD_PREP(MT_TXD0_Q_IDX, MT_TX_HW_QUEUE_MGMT);
txd[0] = cpu_to_le32(val); txd[0] = cpu_to_le32(val);
sta = container_of(priv, struct ieee80211_sta, drv_priv); sta = container_of(priv, struct ieee80211_sta, drv_priv);
hdr = (struct ieee80211_hdr *)&skb->data[MT_TXD_SIZE]; hdr = (struct ieee80211_hdr *)&skb->data[MT_TXD_SIZE];
tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; if (ieee80211_is_data_qos(hdr->frame_control))
tid = *ieee80211_get_qos_ctl(hdr) &
IEEE80211_QOS_CTL_TAG1D_MASK;
skb_set_queue_mapping(skb, tid_to_ac[tid]);
ieee80211_sta_set_buffered(sta, tid, true); ieee80211_sta_set_buffered(sta, tid, true);
spin_lock_bh(&dev->ps_lock); spin_lock_bh(&dev->ps_lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment