Commit b8d92c9c authored by Johannes Berg's avatar Johannes Berg Committed by John W. Linville

mac80211: don't process work item with wrong frame

When we process a frame, we currently just match it
to the work struct by the MAC addresses, and not by
the work type. This means that we can end up doing
the work for an association request item when (for
whatever reason) we receive another frame type, for
example a probe response. Processing the wrong type
of frame will lead to completely invalid data being
processed, and will lead to various problems like
thinking the association was successful even if the
AP never sent an assocation response.

Fix this by making each processing function check
that it is invoked for the right work struct type
only and continue processing otherwise (and drop
frames that we didn't expect).

This bug was uncovered during the debugging for
https://bugzilla.kernel.org/show_bug.cgi?id=15862
but doesn't seem to be the cause for any of the
various problems reported there.
Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 562db532
...@@ -32,6 +32,7 @@ ...@@ -32,6 +32,7 @@
#define IEEE80211_MAX_PROBE_TRIES 5 #define IEEE80211_MAX_PROBE_TRIES 5
enum work_action { enum work_action {
WORK_ACT_MISMATCH,
WORK_ACT_NONE, WORK_ACT_NONE,
WORK_ACT_TIMEOUT, WORK_ACT_TIMEOUT,
WORK_ACT_DONE, WORK_ACT_DONE,
...@@ -574,7 +575,7 @@ ieee80211_rx_mgmt_auth(struct ieee80211_work *wk, ...@@ -574,7 +575,7 @@ ieee80211_rx_mgmt_auth(struct ieee80211_work *wk,
u16 auth_alg, auth_transaction, status_code; u16 auth_alg, auth_transaction, status_code;
if (wk->type != IEEE80211_WORK_AUTH) if (wk->type != IEEE80211_WORK_AUTH)
return WORK_ACT_NONE; return WORK_ACT_MISMATCH;
if (len < 24 + 6) if (len < 24 + 6)
return WORK_ACT_NONE; return WORK_ACT_NONE;
...@@ -625,6 +626,9 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee80211_work *wk, ...@@ -625,6 +626,9 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee80211_work *wk,
struct ieee802_11_elems elems; struct ieee802_11_elems elems;
u8 *pos; u8 *pos;
if (wk->type != IEEE80211_WORK_ASSOC)
return WORK_ACT_MISMATCH;
/* /*
* AssocResp and ReassocResp have identical structure, so process both * AssocResp and ReassocResp have identical structure, so process both
* of them in this function. * of them in this function.
...@@ -680,6 +684,12 @@ ieee80211_rx_mgmt_probe_resp(struct ieee80211_work *wk, ...@@ -680,6 +684,12 @@ ieee80211_rx_mgmt_probe_resp(struct ieee80211_work *wk,
ASSERT_WORK_MTX(local); ASSERT_WORK_MTX(local);
if (wk->type != IEEE80211_WORK_DIRECT_PROBE)
return WORK_ACT_MISMATCH;
if (len < 24 + 12)
return WORK_ACT_NONE;
baselen = (u8 *) mgmt->u.probe_resp.variable - (u8 *) mgmt; baselen = (u8 *) mgmt->u.probe_resp.variable - (u8 *) mgmt;
if (baselen > len) if (baselen > len)
return WORK_ACT_NONE; return WORK_ACT_NONE;
...@@ -694,7 +704,7 @@ static void ieee80211_work_rx_queued_mgmt(struct ieee80211_local *local, ...@@ -694,7 +704,7 @@ static void ieee80211_work_rx_queued_mgmt(struct ieee80211_local *local,
struct ieee80211_rx_status *rx_status; struct ieee80211_rx_status *rx_status;
struct ieee80211_mgmt *mgmt; struct ieee80211_mgmt *mgmt;
struct ieee80211_work *wk; struct ieee80211_work *wk;
enum work_action rma = WORK_ACT_NONE; enum work_action rma;
u16 fc; u16 fc;
rx_status = (struct ieee80211_rx_status *) skb->cb; rx_status = (struct ieee80211_rx_status *) skb->cb;
...@@ -741,7 +751,17 @@ static void ieee80211_work_rx_queued_mgmt(struct ieee80211_local *local, ...@@ -741,7 +751,17 @@ static void ieee80211_work_rx_queued_mgmt(struct ieee80211_local *local,
break; break;
default: default:
WARN_ON(1); WARN_ON(1);
rma = WORK_ACT_NONE;
} }
/*
* We've either received an unexpected frame, or we have
* multiple work items and need to match the frame to the
* right one.
*/
if (rma == WORK_ACT_MISMATCH)
continue;
/* /*
* We've processed this frame for that work, so it can't * We've processed this frame for that work, so it can't
* belong to another work struct. * belong to another work struct.
...@@ -751,6 +771,9 @@ static void ieee80211_work_rx_queued_mgmt(struct ieee80211_local *local, ...@@ -751,6 +771,9 @@ static void ieee80211_work_rx_queued_mgmt(struct ieee80211_local *local,
} }
switch (rma) { switch (rma) {
case WORK_ACT_MISMATCH:
/* ignore this unmatched frame */
break;
case WORK_ACT_NONE: case WORK_ACT_NONE:
break; break;
case WORK_ACT_DONE: case WORK_ACT_DONE:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment