From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 5 Nov 2012 14:04:02 +0000 (+0100)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.52~37
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4692ab6bd2c77b4e612032912ccff6ec94878027;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	mac80211-check-management-frame-header-length.patch
	mac80211-fix-ssid-copy-on-ibss-join.patch
---

diff --git a/queue-3.0/mac80211-check-management-frame-header-length.patch b/queue-3.0/mac80211-check-management-frame-header-length.patch
new file mode 100644
index 00000000000..b660e4f9b6f
--- /dev/null
+++ b/queue-3.0/mac80211-check-management-frame-header-length.patch
@@ -0,0 +1,52 @@
+From 4a4f1a5808c8bb0b72a4f6e5904c53fb8c9cd966 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 26 Oct 2012 00:33:36 +0200
+Subject: mac80211: check management frame header length
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 4a4f1a5808c8bb0b72a4f6e5904c53fb8c9cd966 upstream.
+
+Due to pskb_may_pull() checking the skb length, all
+non-management frames are checked on input whether
+their 802.11 header is fully present. Also add that
+check for management frames and remove a check that
+is now duplicate. This prevents accessing skb data
+beyond the frame end.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c |   12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1360,7 +1360,6 @@ ieee80211_rx_h_defragment(struct ieee802
+ 	frag = sc & IEEE80211_SCTL_FRAG;
+ 
+ 	if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
+-		   (rx->skb)->len < 24 ||
+ 		   is_multicast_ether_addr(hdr->addr1))) {
+ 		/* not fragmented */
+ 		goto out;
+@@ -2772,10 +2771,15 @@ static void __ieee80211_rx_handle_packet
+ 		     test_bit(SCAN_SW_SCANNING, &local->scanning)))
+ 		status->rx_flags |= IEEE80211_RX_IN_SCAN;
+ 
+-	if (ieee80211_is_mgmt(fc))
+-		err = skb_linearize(skb);
+-	else
++	if (ieee80211_is_mgmt(fc)) {
++		/* drop frame if too short for header */
++		if (skb->len < ieee80211_hdrlen(fc))
++			err = -ENOBUFS;
++		else
++			err = skb_linearize(skb);
++	} else {
+ 		err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
++	}
+ 
+ 	if (err) {
+ 		dev_kfree_skb(skb);
diff --git a/queue-3.0/mac80211-fix-ssid-copy-on-ibss-join.patch b/queue-3.0/mac80211-fix-ssid-copy-on-ibss-join.patch
new file mode 100644
index 00000000000..bc8ed84eb2c
--- /dev/null
+++ b/queue-3.0/mac80211-fix-ssid-copy-on-ibss-join.patch
@@ -0,0 +1,36 @@
+From badecb001a310408d3473b1fc2ed5aefd0bc92a9 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <ordex@autistici.org>
+Date: Fri, 26 Oct 2012 18:54:25 +0200
+Subject: mac80211: fix SSID copy on IBSS JOIN
+
+From: Antonio Quartulli <ordex@autistici.org>
+
+commit badecb001a310408d3473b1fc2ed5aefd0bc92a9 upstream.
+
+The 'ssid' field of the cfg80211_ibss_params is a u8 pointer and
+its length is likely to be less than IEEE80211_MAX_SSID_LEN most
+of the time.
+
+This patch fixes the ssid copy in ieee80211_ibss_join() by using
+the SSID length to prevent it from reading beyond the string.
+
+Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+[rewrapped commit message, small rewording]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/ibss.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -940,7 +940,7 @@ int ieee80211_ibss_join(struct ieee80211
+ 	sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
+ 	sdata->u.ibss.ibss_join_req = jiffies;
+ 
+-	memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
++	memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len);
+ 	sdata->u.ibss.ssid_len = params->ssid_len;
+ 
+ 	mutex_unlock(&sdata->u.ibss.mtx);
diff --git a/queue-3.0/series b/queue-3.0/series
index e903cf86b69..fa9583c8738 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -5,3 +5,5 @@ cfg80211-fix-antenna-gain-handling.patch
 wireless-drop-invalid-mesh-address-extension-frames.patch
 mac80211-don-t-inspect-sequence-control-field-on-control-frames.patch
 drm-radeon-fix-load-detection-on-legacy-primary-dac.patch
+mac80211-check-management-frame-header-length.patch
+mac80211-fix-ssid-copy-on-ibss-join.patch