Just a few fixes:

* MLO connection socket ownership didn't work * basic rates validation was missing (reported by by a private syzbot instances) * puncturing bitmap netlink policy was completely broken * properly check chandef for NULL channel, it can be pointing to a chandef that's still uninitialized -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEpeA8sTs3M8SN2hR410qiO8sPaAAFAmQLGEgACgkQ10qiO8sP aADrxBAAn7viIvzUegAZFsqgAfRsKGmGmwOOqg5Vph5oDRnxjfXTUw6hUf+CfFJp c4baHN0GaiJUNDCUM7KFWOicDDaqFZN8WX+t23mUaweXWHoqcH1S9IjiJCl/XtWu saI16+b062QCIQq3jZ3LGvpgZJXjBZbNDd8VW3eWK3nLdBzfHrDAWqx+TfY6dHHj XG9v3G7Q/IdT04HTNCLznrmptSJHy0FDekjtypK8uOrcUElWnmUf5SXzDXyva4Dl evU7xx5RY0tavqL2xQueOgtEgEBJQZWeQDrkZ4o/HDprsT9n6EObLDnVqJG2E+uO yqSxOR6hpkZfEjzyhmRJu1B4KzNWoxU2rzhNljsjxXNZEXDRTQJ803gSFlPaZ8Iq pXFKBIvuzY+7MIGrDZOQAqAnLYtrfVo7XJbhXUDYm5vmBn0ZwHgnQD0Z6X7E5rpC ukbBkNZ0NztZs4gUdYPzd/Uu/YxECMiLTlNzBcc29demR2peRBWH9preZH+NMGAq Dsq7WJZWVE7apKoyLJ9Fgi+F3h1clRqTns1Fy2dE4Fty6xyUEPGzZ9146ob39iLx ByDZp1MTCkZPfJokzDguupYeOUQavMfLgJqf2upvyBTD3wfWdDReRVDgEExwEvv7 J+Lqp/7qGzynH3UpNtUoc7nQEevVIOB6oqbtQigXE+cvIbiy4sY= =HigV -----END PGP SIGNATURE----- Merge tag 'wireless-2023-03-10' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless Johannes Berg says: ==================== Just a few fixes: * MLO connection socket ownership didn't work * basic rates validation was missing (reported by by a private syzbot instances) * puncturing bitmap netlink policy was completely broken * properly check chandef for NULL channel, it can be pointing to a chandef that's still uninitialized * tag 'wireless-2023-03-10' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: wifi: cfg80211: fix MLO connection ownership wifi: mac80211: check basic rates validity wifi: nl80211: fix puncturing bitmap policy wifi: nl80211: fix NULL-ptr deref in offchan check ==================== Link: https://lore.kernel.org/r/20230310114647.35422-1-johannes@sipsolutions.net Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-03-10 18:19:55 -08:00 · 2023-03-10 18:19:55 -08:00 · 27c30b9b44
commit 27c30b9b44
parent 71582371a5 96c0695083
2 changed files with 26 additions and 21 deletions
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@ -2611,6 +2611,17 @@ static int ieee80211_change_bss(struct wiphy *wiphy,
 	if (!sband)
 		return -EINVAL;

+	if (params->basic_rates) {
+		if (!ieee80211_parse_bitrates(link->conf->chandef.width,
+					      wiphy->bands[sband->band],
+					      params->basic_rates,
+					      params->basic_rates_len,
+					      &link->conf->basic_rates))
+			return -EINVAL;
+		changed |= BSS_CHANGED_BASIC_RATES;
+		ieee80211_check_rate_mask(link);
+	}
+
 	if (params->use_cts_prot >= 0) {
 		link->conf->use_cts_prot = params->use_cts_prot;
 		changed |= BSS_CHANGED_ERP_CTS_PROT;
@ -2632,16 +2643,6 @@ static int ieee80211_change_bss(struct wiphy *wiphy,
 		changed |= BSS_CHANGED_ERP_SLOT;
 	}

-	if (params->basic_rates) {
-		ieee80211_parse_bitrates(link->conf->chandef.width,
-					 wiphy->bands[sband->band],
-					 params->basic_rates,
-					 params->basic_rates_len,
-					 &link->conf->basic_rates);
-		changed |= BSS_CHANGED_BASIC_RATES;
-		ieee80211_check_rate_mask(link);
-	}
-
 	if (params->ap_isolate >= 0) {
 		if (params->ap_isolate)
 			sdata->flags |= IEEE80211_SDATA_DONT_BRIDGE_PACKETS;
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@ -462,6 +462,11 @@ nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
 };

+static struct netlink_range_validation nl80211_punct_bitmap_range = {
+	.min = 0,
+	.max = 0xffff,
+};
+
 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
@ -805,7 +810,8 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
-	[NL80211_ATTR_PUNCT_BITMAP] = NLA_POLICY_RANGE(NLA_U8, 0, 0xffff),
+	[NL80211_ATTR_PUNCT_BITMAP] =
+		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
 };

 /* policy for the key attributes */
@ -8901,7 +8907,7 @@ static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
 		struct cfg80211_chan_def *chandef;

 		chandef = wdev_chandef(wdev, link_id);
-		if (!chandef)
+		if (!chandef || !chandef->chan)
 			continue;

 		/*
@ -10793,8 +10799,7 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,

 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
 					      const u8 *ssid, int ssid_len,
-					      struct nlattr **attrs,
-					      const u8 **bssid_out)
+					      struct nlattr **attrs)
 {
 	struct ieee80211_channel *chan;
 	struct cfg80211_bss *bss;
@ -10821,7 +10826,6 @@ static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device
 	if (!bss)
 		return ERR_PTR(-ENOENT);

-	*bssid_out = bssid;
 	return bss;
 }

@ -10831,7 +10835,7 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
 	struct net_device *dev = info->user_ptr[1];
 	struct cfg80211_assoc_request req = {};
 	struct nlattr **attrs = NULL;
-	const u8 *bssid, *ssid;
+	const u8 *ap_addr, *ssid;
 	unsigned int link_id;
 	int err, ssid_len;

@ -10968,6 +10972,7 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
 			return -EINVAL;

 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
+		ap_addr = req.ap_mld_addr;

 		attrs = kzalloc(attrsize, GFP_KERNEL);
 		if (!attrs)
@ -10993,8 +10998,7 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
 				goto free;
 			}
 			req.links[link_id].bss =
-				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
-						  &bssid);
+				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs);
 			if (IS_ERR(req.links[link_id].bss)) {
 				err = PTR_ERR(req.links[link_id].bss);
 				req.links[link_id].bss = NULL;
@ -11045,10 +11049,10 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
 		if (req.link_id >= 0)
 			return -EINVAL;

-		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
-					    &bssid);
+		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs);
 		if (IS_ERR(req.bss))
 			return PTR_ERR(req.bss);
+		ap_addr = req.bss->bssid;
 	}

 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
@ -11061,7 +11065,7 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
 			dev->ieee80211_ptr->conn_owner_nlportid =
 				info->snd_portid;
 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
-			       bssid, ETH_ALEN);
+			       ap_addr, ETH_ALEN);
 		}

 		wdev_unlock(dev->ieee80211_ptr);