Commit d9e24970 authored by Felix Fietkau's avatar Felix Fietkau Committed by Johannes Berg

wifi: cfg80211: fix ieee80211_data_to_8023_exthdr handling of small packets

STP topology change notification packets only have a payload of 7 bytes,
so they get dropped due to the skb->len < hdrlen + 8 check.
Fix this by removing the extra 8 from the skb->len check and checking the
return code on the skb_copy_bits calls.

Fixes: 2d1c304c ("cfg80211: add function for 802.3 conversion with separate output buffer")
Reported-by: default avatarChad Monroe <chad.monroe@smartrg.com>
Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent c95014e1
...@@ -559,7 +559,7 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, ...@@ -559,7 +559,7 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr,
return -1; return -1;
hdrlen = ieee80211_hdrlen(hdr->frame_control) + data_offset; hdrlen = ieee80211_hdrlen(hdr->frame_control) + data_offset;
if (skb->len < hdrlen + 8) if (skb->len < hdrlen)
return -1; return -1;
/* convert IEEE 802.11 header + possible LLC headers into Ethernet /* convert IEEE 802.11 header + possible LLC headers into Ethernet
...@@ -574,8 +574,9 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, ...@@ -574,8 +574,9 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr,
memcpy(tmp.h_dest, ieee80211_get_DA(hdr), ETH_ALEN); memcpy(tmp.h_dest, ieee80211_get_DA(hdr), ETH_ALEN);
memcpy(tmp.h_source, ieee80211_get_SA(hdr), ETH_ALEN); memcpy(tmp.h_source, ieee80211_get_SA(hdr), ETH_ALEN);
if (iftype == NL80211_IFTYPE_MESH_POINT) if (iftype == NL80211_IFTYPE_MESH_POINT &&
skb_copy_bits(skb, hdrlen, &mesh_flags, 1); skb_copy_bits(skb, hdrlen, &mesh_flags, 1) < 0)
return -1;
mesh_flags &= MESH_FLAGS_AE; mesh_flags &= MESH_FLAGS_AE;
...@@ -595,11 +596,12 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, ...@@ -595,11 +596,12 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr,
if (iftype == NL80211_IFTYPE_MESH_POINT) { if (iftype == NL80211_IFTYPE_MESH_POINT) {
if (mesh_flags == MESH_FLAGS_AE_A4) if (mesh_flags == MESH_FLAGS_AE_A4)
return -1; return -1;
if (mesh_flags == MESH_FLAGS_AE_A5_A6) { if (mesh_flags == MESH_FLAGS_AE_A5_A6 &&
skb_copy_bits(skb, hdrlen + skb_copy_bits(skb, hdrlen +
offsetof(struct ieee80211s_hdr, eaddr1), offsetof(struct ieee80211s_hdr, eaddr1),
tmp.h_dest, 2 * ETH_ALEN); tmp.h_dest, 2 * ETH_ALEN) < 0)
} return -1;
hdrlen += __ieee80211_get_mesh_hdrlen(mesh_flags); hdrlen += __ieee80211_get_mesh_hdrlen(mesh_flags);
} }
break; break;
...@@ -613,10 +615,11 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, ...@@ -613,10 +615,11 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr,
if (iftype == NL80211_IFTYPE_MESH_POINT) { if (iftype == NL80211_IFTYPE_MESH_POINT) {
if (mesh_flags == MESH_FLAGS_AE_A5_A6) if (mesh_flags == MESH_FLAGS_AE_A5_A6)
return -1; return -1;
if (mesh_flags == MESH_FLAGS_AE_A4) if (mesh_flags == MESH_FLAGS_AE_A4 &&
skb_copy_bits(skb, hdrlen + skb_copy_bits(skb, hdrlen +
offsetof(struct ieee80211s_hdr, eaddr1), offsetof(struct ieee80211s_hdr, eaddr1),
tmp.h_source, ETH_ALEN); tmp.h_source, ETH_ALEN) < 0)
return -1;
hdrlen += __ieee80211_get_mesh_hdrlen(mesh_flags); hdrlen += __ieee80211_get_mesh_hdrlen(mesh_flags);
} }
break; break;
...@@ -628,16 +631,15 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, ...@@ -628,16 +631,15 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr,
break; break;
} }
skb_copy_bits(skb, hdrlen, &payload, sizeof(payload)); if (likely(skb_copy_bits(skb, hdrlen, &payload, sizeof(payload)) == 0 &&
tmp.h_proto = payload.proto; ((!is_amsdu && ether_addr_equal(payload.hdr, rfc1042_header) &&
payload.proto != htons(ETH_P_AARP) &&
if (likely((!is_amsdu && ether_addr_equal(payload.hdr, rfc1042_header) && payload.proto != htons(ETH_P_IPX)) ||
tmp.h_proto != htons(ETH_P_AARP) && ether_addr_equal(payload.hdr, bridge_tunnel_header)))) {
tmp.h_proto != htons(ETH_P_IPX)) ||
ether_addr_equal(payload.hdr, bridge_tunnel_header))) {
/* remove RFC1042 or Bridge-Tunnel encapsulation and /* remove RFC1042 or Bridge-Tunnel encapsulation and
* replace EtherType */ * replace EtherType */
hdrlen += ETH_ALEN + 2; hdrlen += ETH_ALEN + 2;
tmp.h_proto = payload.proto;
skb_postpull_rcsum(skb, &payload, ETH_ALEN + 2); skb_postpull_rcsum(skb, &payload, ETH_ALEN + 2);
} else { } else {
tmp.h_proto = htons(skb->len - hdrlen); tmp.h_proto = htons(skb->len - hdrlen);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment