github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 05:55:44 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
57de2dcb18
linux/net/mac80211
History
Johannes Berg 57de2dcb18 mac80211: fix use-after-free in CCMP/GCMP RX 
commit 94513069eb upstream.

When PN checking is done in mac80211, for fragmentation we need
to copy the PN to the RX struct so we can later use it to do a
comparison, since commit bf30ca922a ("mac80211: check defrag
PN against current frame").

Unfortunately, in that commit I used the 'hdr' variable without
it being necessarily valid, so use-after-free could occur if it
was necessary to reallocate (parts of) the frame.

Fix this by reloading the variable after the code that results
in the reallocations, if any.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.

Cc: stable@vger.kernel.org
Fixes: bf30ca922a ("mac80211: check defrag PN against current frame")
Link: https://lore.kernel.org/r/20210927115838.12b9ac6bb233.I1d066acd5408a662c3b6e828122cd314fcb28cdb@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-06 15:55:48 +02:00
..
aead_api.c mac80211: Check crypto_aead_encrypt for errors 2021-04-10 13:36:08 +02:00
aead_api.h
aes_ccm.h
aes_cmac.c mac80211: Update BIP to support Beacon frames 2020-02-24 10:36:03 +01:00
aes_cmac.h
aes_gcm.h
aes_gmac.c mac80211: Check crypto_aead_encrypt for errors 2021-04-10 13:36:08 +02:00
aes_gmac.h
agg-rx.c net: mac80211: agg-rx.c: fix duplicated words 2020-08-27 11:23:08 +02:00
agg-tx.c mac80211: accept aggregation sessions on 6 GHz 2020-05-31 11:27:16 +02:00
airtime.c mac80211: add AQL support for VHT160 tx rates 2020-09-18 11:36:03 +02:00
cfg.c mac80211: fix enabling 4-address mode on a sta vif after assoc 2021-08-04 12:46:42 +02:00
chan.c mac80211: get correct default channel width for S1G 2020-09-28 13:53:05 +02:00
debug.h
debugfs_key.c mac80211: Support BIGTK configuration for Beacon protection 2020-02-24 10:35:57 +01:00
debugfs_key.h mac80211: Support BIGTK configuration for Beacon protection 2020-02-24 10:35:57 +01:00
debugfs_netdev.c cfg80211/mac80211: add connected to auth server to meshconf 2020-07-31 09:24:24 +02:00
debugfs_netdev.h
debugfs_sta.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2020-03-29 21:25:29 -07:00
debugfs_sta.h
debugfs.c mac80211: fix incorrect strlen of .write in debugfs 2021-02-07 15:37:15 +01:00
debugfs.h
driver-ops.c mac80211: fix station rate table updates on assoc 2021-02-10 09:29:16 +01:00
driver-ops.h mac80211: notify the driver when a sta uses 4-address mode 2020-09-18 12:16:16 +02:00
ethtool.c
fils_aead.c
fils_aead.h
he.c mac80211: use HE 6 GHz band capability and pass it to the driver 2020-05-31 11:27:03 +02:00
ht.c mac80211: Use fallthrough pseudo-keyword 2020-07-31 09:24:23 +02:00
ibss.c mac80211: fix double free in ibss_leave 2021-03-30 14:32:08 +02:00
ieee80211_i.h mac80211: fix enabling 4-address mode on a sta vif after assoc 2021-08-04 12:46:42 +02:00
iface.c mac80211: Fix monitor MTU limit so that A-MSDUs get through 2021-09-18 13:40:28 +02:00
Kconfig ath9k: fix build error with LEDS_CLASS=m 2021-02-17 11:02:25 +01:00
key.c mac80211: prevent mixed key and fragment cache attacks 2021-06-03 09:00:29 +02:00
key.h mac80211: prevent mixed key and fragment cache attacks 2021-06-03 09:00:29 +02:00
led.c
led.h
main.c mac80211: bail out if cipher schemes are invalid 2021-05-14 09:50:34 +02:00
Makefile mac80211: initialize last_rate for S1G STAs 2020-10-08 10:40:57 +02:00
mesh_hwmp.c mac80211: fix potential overflow when multiplying to u32 integers 2021-03-04 11:37:32 +01:00
mesh_pathtbl.c mac80211: mesh: fix mesh_pathtbl_init() error path 2020-12-04 17:34:25 -08:00
mesh_plink.c mac80211: fix some more kernel-doc in mesh 2020-09-28 14:36:53 +02:00
mesh_ps.c mac80211: fix some more kernel-doc in mesh 2020-09-28 14:36:53 +02:00
mesh_sync.c
mesh.c mac80211: rename csa counters to countdown counters 2020-08-27 14:12:15 +02:00
mesh.h mac80211: add HE 6 GHz Band Capability element 2020-05-31 11:26:39 +02:00
michael.c
michael.h
mlme.c mac80211: fix enabling 4-address mode on a sta vif after assoc 2021-08-04 12:46:42 +02:00
ocb.c
offchannel.c mac80211: Inform AP when returning operating channel 2020-09-28 13:18:53 +02:00
pm.c
rate.c mac80211: fix station rate table updates on assoc 2021-02-10 09:29:16 +01:00
rate.h mac80211: populate debugfs only after cfg80211 init 2020-04-24 11:30:13 +02:00
rc80211_minstrel_debugfs.c mac80211: minstrel_ht: rename prob_ewma to prob_avg, use it for the new average 2019-10-11 10:31:45 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrel_ht: rename prob_ewma to prob_avg, use it for the new average 2019-10-11 10:31:45 +02:00
rc80211_minstrel_ht.c One batch of changes, containing: 2020-05-26 20:17:35 -07:00
rc80211_minstrel_ht.h mac80211: minstrel_ht: rename prob_ewma to prob_avg, use it for the new average 2019-10-11 10:31:45 +02:00
rc80211_minstrel.c mac80211: minstrel: fix tx status processing corner case 2020-11-12 11:25:09 +01:00
rc80211_minstrel.h mac80211: minstrel: remove deferred sampling code 2020-11-12 11:24:43 +01:00
rx.c mac80211: drop multicast fragments 2021-06-30 08:47:20 -04:00
s1g.c mac80211: initialize last_rate for S1G STAs 2020-10-08 10:40:57 +02:00
scan.c mac80211: fix skb length check in ieee80211_scan_rx() 2021-06-23 14:42:41 +02:00
spectmgmt.c mac80211: 160MHz with extended NSS BW in CSA 2021-02-13 13:55:04 +01:00
sta_info.c mac80211: consider per-CPU statistics if present 2021-07-19 09:44:53 +02:00
sta_info.h mac80211: prevent attacks on TKIP/WEP as well 2021-06-03 09:00:29 +02:00
status.c mac80211: fix memory leak on filtered powersave frames 2020-11-12 11:23:58 +01:00
tdls.c mac80211: Use fallthrough pseudo-keyword 2020-07-31 09:24:23 +02:00
tkip.c mac80211: Fix TKIP replay protection immediately after key setup 2020-01-15 09:52:12 +01:00
tkip.h
trace_msg.h
trace.c
trace.h mac80211: notify the driver when a sta uses 4-address mode 2020-09-18 12:16:16 +02:00
tx.c mac80211: Fix insufficient headroom issue for AMSDU 2021-09-15 09:50:40 +02:00
util.c mac80211: handle various extensible elements correctly 2021-06-30 08:47:23 -04:00
vht.c mac80211: don't set set TDLS STA bandwidth wider than possible 2020-12-30 11:53:50 +01:00
wep.c mac80211: make ieee80211_wep_init() return void 2020-02-07 12:40:34 +01:00
wep.h mac80211: make ieee80211_wep_init() return void 2020-02-07 12:40:34 +01:00
wme.c mac80211: Use fallthrough pseudo-keyword 2020-07-31 09:24:23 +02:00
wme.h
wpa.c mac80211: fix use-after-free in CCMP/GCMP RX 2021-10-06 15:55:48 +02:00
wpa.h