openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
linux/include
History
Mathy Vanhoef bddc0c411a mac80211: Fix NULL ptr deref for injected rate info 
The commit cb17ed29a7 ("mac80211: parse radiotap header when selecting Tx
queue") moved the code to validate the radiotap header from
ieee80211_monitor_start_xmit to ieee80211_parse_tx_radiotap. This made is
possible to share more code with the new Tx queue selection code for
injected frames. But at the same time, it now required the call of
ieee80211_parse_tx_radiotap at the beginning of functions which wanted to
handle the radiotap header. And this broke the rate parser for radiotap
header parser.

The radiotap parser for rates is operating most of the time only on the
data in the actual radiotap header. But for the 802.11a/b/g rates, it must
also know the selected band from the chandef information. But this
information is only written to the ieee80211_tx_info at the end of the
ieee80211_monitor_start_xmit - long after ieee80211_parse_tx_radiotap was
already called. The info->band information was therefore always 0
(NL80211_BAND_2GHZ) when the parser code tried to access it.

For a 5GHz only device, injecting a frame with 802.11a rates would cause a
NULL pointer dereference because local->hw.wiphy->bands[NL80211_BAND_2GHZ]
would most likely have been NULL when the radiotap parser searched for the
correct rate index of the driver.

Cc: stable@vger.kernel.org
Reported-by: Ben Greear <greearb@candelatech.com>
Fixes: cb17ed29a7 ("mac80211: parse radiotap header when selecting Tx queue")
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
[sven@narfation.org: added commit message]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Link: https://lore.kernel.org/r/20210530133226.40587-1-sven@narfation.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
 		2021-05-31 21:40:17 +02:00
..
acpi Merge branches 'acpi-cppc', 'acpi-video' and 'acpi-utils' 2021-04-26 17:04:27 +02:00
asm-generic mm: remove xlate_dev_kmem_ptr() 2021-05-07 00:26:34 -07:00
clocksource ARM: platform support for Apple M1 2021-04-26 12:30:36 -07:00
crypto
drm
dt-bindings Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2021-05-06 23:37:55 -07:00
keys integrity-v5.13 2021-05-01 15:32:18 -07:00
kunit
kvm Merge branch 'kvm-arm64/kill_oprofile_dependency' into kvmarm-master/next 2021-04-22 13:41:49 +01:00
linux Networking fixes for 5.13-rc4, including fixes from bpf, netfilter, 2021-05-26 17:44:49 -10:00
math-emu
media media updates for v5.13-rc1 2021-04-28 09:24:36 -07:00
memory
misc
net mac80211: Fix NULL ptr deref for injected rate info 2021-05-31 21:40:17 +02:00
pcmcia
ras
rdma RDMA/restrack: Add support to get resource tracking for SRQ 2021-04-22 10:30:27 -03:00
scsi SCSI misc on 20210428 2021-04-28 17:22:10 -07:00
soc Networking changes for 5.13. 2021-04-29 11:57:23 -07:00
sound ASoC: Updates for v5.13 2021-04-26 16:59:21 +02:00
target
trace NFS client updates for Linux 5.13 2021-05-07 11:23:41 -07:00
uapi Merge branch 'for-v5.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2021-05-21 06:12:52 -10:00
vdso
video
xen xen/arm: move xen_swiotlb_detect to arm/swiotlb-xen.h 2021-05-14 15:52:05 +02:00