diff options
author | Johannes Berg <johannes.berg@intel.com> | 2020-03-20 10:20:23 +0100 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2020-03-20 14:42:19 +0100 |
commit | 95247705c4fdb0057de6d9a98a094cf193d4885c (patch) | |
tree | bbd6bff3ae4f34f4d2bc7cc7785de8006bfbf5d0 /net/mac80211/tx.c | |
parent | 07e9733886fd038cc673b790dbe310368562e8d6 (diff) | |
download | lwn-95247705c4fdb0057de6d9a98a094cf193d4885c.tar.gz lwn-95247705c4fdb0057de6d9a98a094cf193d4885c.zip |
mac80211: don't leave skb->next/prev pointing to stack
In beacon protection, don't leave skb->next/prev pointing to the
on-stack list, even if that's actually harmless since we don't use
them again afterwards.
While at it, check that the SKB on the list is still the same, as
that's required here. If not, the encryption (protection) code is
buggy.
Fixes: 0a3a84360b37 ("mac80211: Beacon protection using the new BIGTK (AP)")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20200320102021.1be7823fc05e.Ia89fb79a0469d32137c9a04315a1d2dfc7b7d6f5@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211/tx.c')
-rw-r--r-- | net/mac80211/tx.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 83147385c200..49d35936cc9d 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -4670,6 +4670,7 @@ static int ieee80211_beacon_protect(struct sk_buff *skb, { ieee80211_tx_result res; struct ieee80211_tx_data tx; + struct sk_buff *check_skb; memset(&tx, 0, sizeof(tx)); tx.key = rcu_dereference(sdata->default_beacon_key); @@ -4680,8 +4681,11 @@ static int ieee80211_beacon_protect(struct sk_buff *skb, __skb_queue_head_init(&tx.skbs); __skb_queue_tail(&tx.skbs, skb); res = ieee80211_tx_h_encrypt(&tx); + check_skb = __skb_dequeue(&tx.skbs); + /* we may crash after this, but it'd be a bug in crypto */ + WARN_ON(check_skb != skb); if (WARN_ON_ONCE(res != TX_CONTINUE)) - return -1; + return -EINVAL; return 0; } |