wifi: mac80211_hwsim: drop short frames

While technically some control frames like ACK are shorter and end after Address 1, such frames shouldn't be forwarded through wmediumd or similar userspace, so require the full 3-address header to avoid accessing invalid memory if shorter frames are passed in. Reported-by: syzbot+b2645b5bf1512b81fa22@syzkaller.appspotmail.com Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>

wifi: mac80211_hwsim: drop short frames
While technically some control frames like ACK are shorter and end after Address 1, such frames shouldn't be forwarded through wmediumd or similar userspace, so require the full 3-address header to avoid accessing invalid memory if shorter frames are passed in. Reported-by: syzbot+b2645b5bf1512b81fa22@syzkaller.appspotmail.com Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
fba360a0 · Johannes Berg · 67dfa589 · fba360a0
Commit fba360a0 authored Aug 15, 2023 by Johannes Berg
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

drivers/net/wireless/virtual/mac80211_hwsim.c drivers/net/wireless/virtual/mac80211_hwsim.c +4 -3

No files found.
--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
@@ -5626,14 +5626,15 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
 	frame_data_len = nla_len(info->attrs[HWSIM_ATTR_FRAME]);
 	frame_data = (void *)nla_data(info->attrs[HWSIM_ATTR_FRAME]);

+	if (frame_data_len < sizeof(struct ieee80211_hdr_3addr) ||
+	    frame_data_len > IEEE80211_MAX_DATA_LEN)
+		goto err;
+
 	/* Allocate new skb here */
 	skb = alloc_skb(frame_data_len, GFP_KERNEL);
 	if (skb == NULL)
 		goto err;

-	if (frame_data_len > IEEE80211_MAX_DATA_LEN)
-		goto err;
-
 	/* Copy the data */
 	skb_put_data(skb, frame_data, frame_data_len);