]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/patches/linux/linux-5.15-wifi-security-patches-13.patch
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
linux: Add upstream patches for CVE-2022-4{1674,2719-2722}
[people/pmueller/ipfire-2.x.git] / src / patches / linux / linux-5.15-wifi-security-patches-13.patch
1 From 7d998f6b7365d50a9905bf57fd28b41c7ebe8e9d Mon Sep 17 00:00:00 2001
2 From: Johannes Berg <johannes.berg@intel.com>
3 Date: Thu, 13 Oct 2022 20:16:00 +0200
4 Subject: [PATCH] mac80211: fix memory leaks with element parsing
5
6 commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream.
7
8 My previous commit 5d24828d05f3 ("mac80211: always allocate
9 struct ieee802_11_elems") had a few bugs and leaked the new
10 allocated struct in a few error cases, fix that.
11
12 Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
13 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
14 Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid
15 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
16 Cc: Felix Fietkau <nbd@nbd.name>
17 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 ---
19 net/mac80211/agg-rx.c | 3 ++-
20 net/mac80211/ibss.c | 10 +++++-----
21 net/mac80211/mlme.c | 36 ++++++++++++++++++------------------
22 3 files changed, 25 insertions(+), 24 deletions(-)
23
24 diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
25 index ffa4f31f6c2b..0d2bab9d351c 100644
26 --- a/net/mac80211/agg-rx.c
27 +++ b/net/mac80211/agg-rx.c
28 @@ -499,13 +499,14 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
29 elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
30 ies_len, true, mgmt->bssid, NULL);
31 if (!elems || elems->parse_error)
32 - return;
33 + goto free;
34 }
35
36 __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
37 start_seq_num, ba_policy, tid,
38 buf_size, true, false,
39 elems ? elems->addba_ext_ie : NULL);
40 +free:
41 kfree(elems);
42 }
43
44 diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
45 index 4b721b48f86a..48e0260f3424 100644
46 --- a/net/mac80211/ibss.c
47 +++ b/net/mac80211/ibss.c
48 @@ -1663,11 +1663,11 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
49 mgmt->u.action.u.chan_switch.variable,
50 ies_len, true, mgmt->bssid, NULL);
51
52 - if (!elems || elems->parse_error)
53 - break;
54 -
55 - ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
56 - rx_status, elems);
57 + if (elems && !elems->parse_error)
58 + ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,
59 + skb->len,
60 + rx_status,
61 + elems);
62 kfree(elems);
63 break;
64 }
65 diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
66 index 45efa1d1c550..cc6d38a2e6d5 100644
67 --- a/net/mac80211/mlme.c
68 +++ b/net/mac80211/mlme.c
69 @@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
70 bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
71 GFP_ATOMIC);
72 rcu_read_unlock();
73 - if (!bss_ies)
74 - return false;
75 + if (!bss_ies) {
76 + ret = false;
77 + goto out;
78 + }
79
80 bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
81 false, mgmt->bssid,
82 @@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
83 mgmt->u.action.u.chan_switch.variable,
84 ies_len, true, mgmt->bssid, NULL);
85
86 - if (!elems || elems->parse_error)
87 - break;
88 -
89 - ieee80211_sta_process_chanswitch(sdata,
90 - rx_status->mactime,
91 - rx_status->device_timestamp,
92 - elems, false);
93 + if (elems && !elems->parse_error)
94 + ieee80211_sta_process_chanswitch(sdata,
95 + rx_status->mactime,
96 + rx_status->device_timestamp,
97 + elems, false);
98 kfree(elems);
99 } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
100 struct ieee802_11_elems *elems;
101 @@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
102 mgmt->u.action.u.ext_chan_switch.variable,
103 ies_len, true, mgmt->bssid, NULL);
104
105 - if (!elems || elems->parse_error)
106 - break;
107 + if (elems && !elems->parse_error) {
108 + /* for the handling code pretend it was an IE */
109 + elems->ext_chansw_ie =
110 + &mgmt->u.action.u.ext_chan_switch.data;
111
112 - /* for the handling code pretend this was also an IE */
113 - elems->ext_chansw_ie =
114 - &mgmt->u.action.u.ext_chan_switch.data;
115 + ieee80211_sta_process_chanswitch(sdata,
116 + rx_status->mactime,
117 + rx_status->device_timestamp,
118 + elems, false);
119 + }
120
121 - ieee80211_sta_process_chanswitch(sdata,
122 - rx_status->mactime,
123 - rx_status->device_timestamp,
124 - elems, false);
125 kfree(elems);
126 }
127 break;
128 --
129 2.30.2
130
Peter's tree of IPFire 2.x