Module Name: src Committed By: maxv Date: Fri Jan 19 07:52:37 UTC 2018
Modified Files: src/sys/net80211: ieee80211_crypto.c Log Message: Style, and make sure that there is a header+trailer included in the packet. The crypto functions can touch the trailer, but they don't check whether it's there in the first place. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/sys/net80211/ieee80211_crypto.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net80211/ieee80211_crypto.c diff -u src/sys/net80211/ieee80211_crypto.c:1.20 src/sys/net80211/ieee80211_crypto.c:1.21 --- src/sys/net80211/ieee80211_crypto.c:1.20 Wed Jan 17 17:41:38 2018 +++ src/sys/net80211/ieee80211_crypto.c Fri Jan 19 07:52:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ieee80211_crypto.c,v 1.20 2018/01/17 17:41:38 maxv Exp $ */ +/* $NetBSD: ieee80211_crypto.c,v 1.21 2018/01/19 07:52:37 maxv Exp $ */ /* * Copyright (c) 2001 Atsushi Onoe @@ -37,7 +37,7 @@ __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_crypto.c,v 1.12 2005/08/08 18:46:35 sam Exp $"); #endif #ifdef __NetBSD__ -__KERNEL_RCSID(0, "$NetBSD: ieee80211_crypto.c,v 1.20 2018/01/17 17:41:38 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ieee80211_crypto.c,v 1.21 2018/01/19 07:52:37 maxv Exp $"); #endif #ifdef _KERNEL_OPT @@ -48,7 +48,7 @@ __KERNEL_RCSID(0, "$NetBSD: ieee80211_cr * IEEE 802.11 generic crypto support. */ #include <sys/param.h> -#include <sys/mbuf.h> +#include <sys/mbuf.h> #include <sys/socket.h> #include <sys/sockio.h> @@ -72,7 +72,7 @@ __KERNEL_RCSID(0, "$NetBSD: ieee80211_cr static const struct ieee80211_cipher *ciphers[IEEE80211_CIPHER_MAX]; #ifdef INET -#include <netinet/in.h> +#include <netinet/in.h> #include <net/if_ether.h> #endif @@ -136,7 +136,7 @@ cipher_detach(struct ieee80211_key *key) key->wk_cipher->ic_detach(key); } -/* +/* * Wrappers for driver key management methods. */ static __inline int @@ -605,7 +605,12 @@ ieee80211_crypto_decap(struct ieee80211c struct mbuf *m = *mp; u_int8_t keyid; - /* NB: this minimum size data frame could be bigger */ + KASSERT((m->m_flags & M_PKTHDR) != 0); + + /* + * This minimum size data frame could be bigger. It is re-checked + * below. + */ if (m->m_pkthdr.len < IEEE80211_WEP_MINLEN) { IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, "%s: WEP data frame too short, len %u\n", @@ -646,5 +651,16 @@ ieee80211_crypto_decap(struct ieee80211c return NULL; } + /* + * Ensure there is a header+trailer included. + */ + if (m->m_pkthdr.len < hdrlen + cip->ic_header + cip->ic_trailer) { + IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, + "%s: WEP data frame too short, len %u\n", + __func__, m->m_pkthdr.len); + ic->ic_stats.is_rx_tooshort++; + return NULL; + } + return (cip->ic_decap(k, m, hdrlen) ? k : NULL); }