wifi: mac80211_hwsim: drop short frames

While technically some control frames like ACK are shorter and end after Address 1, such frames shouldn't be forwarded through wmediumd or similar userspace, so require the full 3-address header to avoid accessing invalid memory if shorter frames are passed in. Reported-by: [email protected] Reviewed-by: Jeff Johnson <[email protected]> Signed-off-by: Johannes Berg <[email protected]>
author: Johannes Berg <[email protected]> 2023-08-15 21:28:01 +0200
committer: Johannes Berg <[email protected]> 2023-08-22 21:40:39 +0200
commit: fba360a047d5eeeb9d4b7c3a9b1c8308980ce9a6 (patch)
tree: 49364a307714c86a7c33cc9f85cf058f2d6497a6
parent: 67dfa589aa8806c7959cbca2f4613b8d41c75a06 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
index f446fd0e8cd0..dd516cec4197 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
@@ -5626,14 +5626,15 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
 	frame_data_len = nla_len(info->attrs[HWSIM_ATTR_FRAME]);
 	frame_data = (void *)nla_data(info->attrs[HWSIM_ATTR_FRAME]);
 
+	if (frame_data_len < sizeof(struct ieee80211_hdr_3addr) ||
+	    frame_data_len > IEEE80211_MAX_DATA_LEN)
+		goto err;
+
 	/* Allocate new skb here */
 	skb = alloc_skb(frame_data_len, GFP_KERNEL);
 	if (skb == NULL)
 		goto err;
 
-	if (frame_data_len > IEEE80211_MAX_DATA_LEN)
-		goto err;
-
 	/* Copy the data */
 	skb_put_data(skb, frame_data, frame_data_len);
author	Johannes Berg <[email protected]>	2023-08-15 21:28:01 +0200
committer	Johannes Berg <[email protected]>	2023-08-22 21:40:39 +0200
commit	fba360a047d5eeeb9d4b7c3a9b1c8308980ce9a6 (patch)
tree	49364a307714c86a7c33cc9f85cf058f2d6497a6
parent	67dfa589aa8806c7959cbca2f4613b8d41c75a06 (diff)