summaryrefslogtreecommitdiff
path: root/net/mac80211/tx.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2020-03-20 10:20:23 +0100
committerJohannes Berg <johannes.berg@intel.com>2020-03-20 14:42:19 +0100
commit95247705c4fdb0057de6d9a98a094cf193d4885c (patch)
treebbd6bff3ae4f34f4d2bc7cc7785de8006bfbf5d0 /net/mac80211/tx.c
parent07e9733886fd038cc673b790dbe310368562e8d6 (diff)
downloadlwn-95247705c4fdb0057de6d9a98a094cf193d4885c.tar.gz
lwn-95247705c4fdb0057de6d9a98a094cf193d4885c.zip
mac80211: don't leave skb->next/prev pointing to stack
In beacon protection, don't leave skb->next/prev pointing to the on-stack list, even if that's actually harmless since we don't use them again afterwards. While at it, check that the SKB on the list is still the same, as that's required here. If not, the encryption (protection) code is buggy. Fixes: 0a3a84360b37 ("mac80211: Beacon protection using the new BIGTK (AP)") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Link: https://lore.kernel.org/r/20200320102021.1be7823fc05e.Ia89fb79a0469d32137c9a04315a1d2dfc7b7d6f5@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211/tx.c')
-rw-r--r--net/mac80211/tx.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 83147385c200..49d35936cc9d 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -4670,6 +4670,7 @@ static int ieee80211_beacon_protect(struct sk_buff *skb,
{
ieee80211_tx_result res;
struct ieee80211_tx_data tx;
+ struct sk_buff *check_skb;
memset(&tx, 0, sizeof(tx));
tx.key = rcu_dereference(sdata->default_beacon_key);
@@ -4680,8 +4681,11 @@ static int ieee80211_beacon_protect(struct sk_buff *skb,
__skb_queue_head_init(&tx.skbs);
__skb_queue_tail(&tx.skbs, skb);
res = ieee80211_tx_h_encrypt(&tx);
+ check_skb = __skb_dequeue(&tx.skbs);
+ /* we may crash after this, but it'd be a bug in crypto */
+ WARN_ON(check_skb != skb);
if (WARN_ON_ONCE(res != TX_CONTINUE))
- return -1;
+ return -EINVAL;
return 0;
}