Skip to content

GitLab

Switch branch/tag
History Find file
Clone
mac80211: fix use-after-free in CCMP/GCMP RX
Johannes Berg authored 
When PN checking is done in mac80211, for fragmentation we need
to copy the PN to the RX struct so we can later use it to do a
comparison, since commit bf30ca92 ("mac80211: check defrag
PN against current frame").

Unfortunately, in that commit I used the 'hdr' variable without
it being necessarily valid, so use-after-free could occur if it
was necessary to reallocate (parts of) the frame.

Fix this by reloading the variable after the code that results
in the reallocations, if any.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.

Cc: stable@vger.kernel.org
Fixes: bf30ca92 ("mac80211: check defrag PN against current frame")
Link: https://lore.kernel.org/r/20210927115838.12b9ac6bb233.I1d066acd5408a662c3b6e828122cd314fcb28cdb@changeid

Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
94513069
Name Last commit Last update
..
6lowpan 6lowpan: iphc: Fix an off-by-one check of array index
802 net: 802: remove dead leftover after ipx driver removal
8021q dev_ioctl: split out ndo_eth_ioctl
9p net/9p: increase default msize to 128k
appletalk net: socket: rework compat_ifreq_ioctl()
atm atm: Use list_for_each_entry() to simplify code in resources.c
ax25 ax25: use skb_expand_head
batman-adv Merge tag 'kbuild-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
bluetooth Merge tag 'tty-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
bpf bpf: Refactor BPF_PROG_RUN into a function
bpfilter bpfilter: Specify the log level for the kmsg message
bridge net: bridge: mcast: fix vlan port router deadlock
caif net-caif: avoid user-triggerable WARN_ON(1)
can net: Remove redundant if statements
ceph libceph: fix doc warnings in cls_lock_client.c
core napi: fix race inside napi_enable
dcb net: dcb: Return the correct errno code
dccp dccp: don't duplicate ccid when cloning dccp sock
decnet net: Remove redundant if statements
dns_resolver net: remove redundant 'depends on NET'
dsa net: dsa: don't allocate the slave_mii_bus using devres
ethernet move netdev_boot_setup into Space.c
ethtool ethtool: extend coalesce setting uAPI with CQE mode
hsr net: hsr: don't check sequence number if tag removal is offloaded
ieee802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
ife
ipv4
ipv6
iucv
kcm
key
l2tp
l3mdev
lapb
llc
mac80211
mac802154
mctp
mpls
mptcp
ncsi
netfilter
netlabel
netlink
netrom
nfc
nsh
openvswitch
packet
phonet
psample
qrtr
rds
rfkill
rose
rxrpc
sched
sctp
smc
strparser
sunrpc
switchdev
tipc
tls
unix
vmw_vsock
wireless
x25
xdp
xfrm
Kconfig
Makefile
compat.c
devres.c
socket.c
sysctl_net.c
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7