This is a note to let you know that I've just added the patch titled
mac80211: make sure data is accessible in EAPOL check
to the 3.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
mac80211-make-sure-data-is-accessible-in-eapol-check.patch
and it can be found in the queue-3.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 6dbda2d00d466225f9db1dc695ff852443f28832 Mon Sep 17 00:00:00 2001
From: Johannes Berg <[email protected]>
Date: Fri, 26 Oct 2012 00:41:23 +0200
Subject: mac80211: make sure data is accessible in EAPOL check
From: Johannes Berg <[email protected]>
commit 6dbda2d00d466225f9db1dc695ff852443f28832 upstream.
The code to allow EAPOL frames even when the station
isn't yet marked associated needs to check that the
incoming frame is long enough and due to paged RX it
also can't assume skb->data contains the right data,
it must use skb_copy_bits(). Fix this to avoid using
data that doesn't really exist.
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/mac80211/rx.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -848,14 +848,16 @@ ieee80211_rx_h_check(struct ieee80211_rx
*/
if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
ieee80211_is_data_present(hdr->frame_control)) {
- u16 ethertype;
- u8 *payload;
+ unsigned int hdrlen;
+ __be16 ethertype;
- payload = rx->skb->data +
- ieee80211_hdrlen(hdr->frame_control);
- ethertype = (payload[6] << 8) | payload[7];
- if (cpu_to_be16(ethertype) ==
- rx->sdata->control_port_protocol)
+ hdrlen = ieee80211_hdrlen(hdr->frame_control);
+
+ if (rx->skb->len < hdrlen + 8)
+ return RX_DROP_MONITOR;
+
+ skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2);
+ if (ethertype == rx->sdata->control_port_protocol)
return RX_CONTINUE;
}
Patches currently in stable-queue which might be from [email protected]
are
queue-3.6/mac80211-use-blacklist-for-duplicate-ie-check.patch
queue-3.6/cfg80211-fix-antenna-gain-handling.patch
queue-3.6/mac80211-verify-that-skb-data-is-present.patch
queue-3.6/mac80211-only-process-mesh-config-header-on-frames-that-ra_match.patch
queue-3.6/mac80211-make-sure-data-is-accessible-in-eapol-check.patch
queue-3.6/wireless-drop-invalid-mesh-address-extension-frames.patch
queue-3.6/mac80211-fix-ssid-copy-on-ibss-join.patch
queue-3.6/mac80211-check-management-frame-header-length.patch
queue-3.6/mac80211-don-t-inspect-sequence-control-field-on-control-frames.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
