When the AF flag is enabled, hwmp_prep_frame_process() overreads orig_addr
by 2 bytes. Since this occurs within the socket buffer, it does not read
across memory boundaries and therefore poses no security risk; however, we
will fix it as a precaution.
In this fix, a new function mesh_path_parse_reply_frame() is established to
separate the implementation of frame format validation and the check for
unsupported features. This is intended to facilitate future work when
implementing the currently unsupported parts.
Assisted-by: Claude:Sonnet 4.6
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Link: https://patch.msgid.link/20260529230952.124754-5-masashi.honma@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
return elen == needed;
}
+/* IEEE Std 802.11-2016 9.4.2.114 PREP element */
+static inline bool ieee80211_mesh_prep_size_ok(const u8 *pos, u8 elen)
+{
+ u8 needed;
+
+ /* Check if the element contains flags */
+ needed = sizeof(struct ieee80211_mesh_hwmp_prep_top);
+ if (elen < needed)
+ return false;
+
+ needed += (ieee80211_mesh_preq_prep_ae_enabled(pos) ? ETH_ALEN : 0)
+ /* Target External Address */ +
+ sizeof(struct ieee80211_mesh_hwmp_prep_bottom);
+ return elen == needed;
+}
+
#endif /* LINUX_IEEE80211_MESH_H */
path_metric);
}
if (elems->prep) {
- if (elems->prep_len != 31)
- /* Right now we support no AE */
+ /* Right now we do not support AE (Address Extension) */
+ if (ieee80211_mesh_preq_prep_ae_enabled(elems->prep))
goto free;
path_metric = hwmp_route_info_get(sdata, mgmt, elems->prep,
MPATH_PREP);
}
break;
case WLAN_EID_PREP:
- elems->prep = pos;
- elems->prep_len = elen;
+ if (ieee80211_mesh_prep_size_ok(pos, elen)) {
+ elems->prep = pos;
+ elems->prep_len = elen;
+ } else {
+ elem_parse_failed =
+ IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
+ }
break;
case WLAN_EID_PERR:
elems->perr = pos;
projects / thirdparty / linux.git / commitdiff
