]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blobdiff - src/patches/linux/linux-5.15-wifi-security-patches-13.patch
projects / people / pmueller / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
linux: Update to 5.15.85
[people/pmueller/ipfire-2.x.git] / src / patches / linux / linux-5.15-wifi-security-patches-13.patch
diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-13.patch b/src/patches/linux/linux-5.15-wifi-security-patches-13.patch
deleted file mode 100644 (file)
index 1d167c1..0000000
--- a/src/patches/linux/linux-5.15-wifi-security-patches-13.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From 7d998f6b7365d50a9905bf57fd28b41c7ebe8e9d Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 13 Oct 2022 20:16:00 +0200
-Subject: [PATCH] mac80211: fix memory leaks with element parsing
-
-commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream.
-
-My previous commit 5d24828d05f3 ("mac80211: always allocate
-struct ieee802_11_elems") had a few bugs and leaked the new
-allocated struct in a few error cases, fix that.
-
-Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Cc: Felix Fietkau <nbd@nbd.name>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mac80211/agg-rx.c |  3 ++-
- net/mac80211/ibss.c   | 10 +++++-----
- net/mac80211/mlme.c   | 36 ++++++++++++++++++------------------
- 3 files changed, 25 insertions(+), 24 deletions(-)
-
-diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
-index ffa4f31f6c2b..0d2bab9d351c 100644
---- a/net/mac80211/agg-rx.c
-+++ b/net/mac80211/agg-rx.c
-@@ -499,13 +499,14 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
-               elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
-                                              ies_len, true, mgmt->bssid, NULL);
-               if (!elems || elems->parse_error)
--                      return;
-+                      goto free;
-       }
-       __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
-                                       start_seq_num, ba_policy, tid,
-                                       buf_size, true, false,
-                                       elems ? elems->addba_ext_ie : NULL);
-+free:
-       kfree(elems);
- }
-diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
-index 4b721b48f86a..48e0260f3424 100644
---- a/net/mac80211/ibss.c
-+++ b/net/mac80211/ibss.c
-@@ -1663,11 +1663,11 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
-                               mgmt->u.action.u.chan_switch.variable,
-                               ies_len, true, mgmt->bssid, NULL);
--                      if (!elems || elems->parse_error)
--                              break;
--
--                      ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
--                                                      rx_status, elems);
-+                      if (elems && !elems->parse_error)
-+                              ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,
-+                                                              skb->len,
-+                                                              rx_status,
-+                                                              elems);
-                       kfree(elems);
-                       break;
-               }
-diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
-index 45efa1d1c550..cc6d38a2e6d5 100644
---- a/net/mac80211/mlme.c
-+++ b/net/mac80211/mlme.c
-@@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
-                       bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
-                                         GFP_ATOMIC);
-               rcu_read_unlock();
--              if (!bss_ies)
--                      return false;
-+              if (!bss_ies) {
-+                      ret = false;
-+                      goto out;
-+              }
-               bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
-                                                  false, mgmt->bssid,
-@@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
-                                       mgmt->u.action.u.chan_switch.variable,
-                                       ies_len, true, mgmt->bssid, NULL);
--                      if (!elems || elems->parse_error)
--                              break;
--
--                      ieee80211_sta_process_chanswitch(sdata,
--                                               rx_status->mactime,
--                                               rx_status->device_timestamp,
--                                               elems, false);
-+                      if (elems && !elems->parse_error)
-+                              ieee80211_sta_process_chanswitch(sdata,
-+                                                               rx_status->mactime,
-+                                                               rx_status->device_timestamp,
-+                                                               elems, false);
-                       kfree(elems);
-               } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
-                       struct ieee802_11_elems *elems;
-@@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
-                                       mgmt->u.action.u.ext_chan_switch.variable,
-                                       ies_len, true, mgmt->bssid, NULL);
--                      if (!elems || elems->parse_error)
--                              break;
-+                      if (elems && !elems->parse_error) {
-+                              /* for the handling code pretend it was an IE */
-+                              elems->ext_chansw_ie =
-+                                      &mgmt->u.action.u.ext_chan_switch.data;
--                      /* for the handling code pretend this was also an IE */
--                      elems->ext_chansw_ie =
--                              &mgmt->u.action.u.ext_chan_switch.data;
-+                              ieee80211_sta_process_chanswitch(sdata,
-+                                                               rx_status->mactime,
-+                                                               rx_status->device_timestamp,
-+                                                               elems, false);
-+                      }
--                      ieee80211_sta_process_chanswitch(sdata,
--                                               rx_status->mactime,
--                                               rx_status->device_timestamp,
--                                               elems, false);
-                       kfree(elems);
-               }
-               break;
--- 
-2.30.2
-
Peter's tree of IPFire 2.x