There are no issues with the PERR processing itself; however, to maintain
consistency with the previous PREQ/PREP code modifications, I will create a
new mesh_path_parse_error_frame() function to separately implement the
frame format validation and the "not supported" check.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Link: https://patch.msgid.link/20260529230952.124754-6-masashi.honma@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
return elen == needed;
}
+/* IEEE Std 802.11-2016 9.4.2.115 PERR element */
+static inline bool ieee80211_mesh_perr_size_ok(const u8 *pos, u8 elen)
+{
+ struct ieee80211_mesh_hwmp_perr *perr_elem = (void *)pos;
+ const u8 *start = pos;
+ u8 number_of_dst;
+ int needed;
+ int i;
+
+ needed = sizeof(struct ieee80211_mesh_hwmp_perr);
+
+ /* Check if the element contains number of dst */
+ if (elen < needed)
+ return false;
+
+ pos += sizeof(struct ieee80211_mesh_hwmp_perr);
+ number_of_dst = perr_elem->number_of_dst;
+
+ for (i = 0; i < number_of_dst; i++) {
+ struct ieee80211_mesh_hwmp_perr_dst *dst = (void *)pos;
+ u8 dst_len = sizeof(struct ieee80211_mesh_hwmp_perr_dst);
+
+ /* Check if the element contains flags */
+ if (elen < pos - start + dst_len)
+ return false;
+
+ dst_len += ((dst->flags & AE_F) ? ETH_ALEN : 0)
+ /* Destination External Address */ +
+ 2 /* Reason Code */;
+ needed += dst_len;
+ pos += dst_len;
+ }
+
+ return elen == needed;
+}
+
#endif /* LINUX_IEEE80211_MESH_H */
path_metric);
}
if (elems->perr) {
- if (elems->perr_len != 15)
- /* Right now we support only one destination per PERR */
+ struct ieee80211_mesh_hwmp_perr *perr_elem =
+ (struct ieee80211_mesh_hwmp_perr *)elems->perr;
+ int i;
+
+ /* Right now we support only one destination per PERR */
+ if (perr_elem->number_of_dst != 1)
goto free;
+
+ /* Right now we do not support AE (Address Extension) */
+ for (i = 0; i < perr_elem->number_of_dst; i++) {
+ struct ieee80211_mesh_hwmp_perr_dst *dst =
+ ieee80211_mesh_hwmp_perr_get_dst(elems->perr, i);
+
+ if (dst->flags & AE_F)
+ goto free;
+ }
+
hwmp_perr_frame_process(sdata, mgmt, elems->perr);
}
if (elems->rann)
}
break;
case WLAN_EID_PERR:
- elems->perr = pos;
- elems->perr_len = elen;
+ if (ieee80211_mesh_perr_size_ok(pos, elen)) {
+ elems->perr = pos;
+ elems->perr_len = elen;
+ } else {
+ elem_parse_failed =
+ IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
+ }
break;
case WLAN_EID_RANN:
if (elen >= sizeof(struct ieee80211_rann_ie))
projects / thirdparty / kernel / stable.git / commitdiff
