wifi: mac80211: fix crash in beacon protection for P2P-device
If beacon protection is active but the beacon cannot be
decrypted or is otherwise malformed, we call the cfg80211
API to report this to userspace, but that uses a netdev
pointer, which isn't present for P2P-Device. Fix this to
call it only conditionally to ensure cfg80211 won't crash
in the case of P2P-Device.
This fixes CVE-2022-42722.
Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 9eaf183af7
("mac80211: Report beacon protection failures to user space")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
parent
1833b6f46d
commit
b2d03cabe2
|
@ -1979,6 +1979,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
|
||||||
if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
|
if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
|
||||||
mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
|
mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
|
||||||
NUM_DEFAULT_BEACON_KEYS) {
|
NUM_DEFAULT_BEACON_KEYS) {
|
||||||
|
if (rx->sdata->dev)
|
||||||
cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
|
cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
|
||||||
skb->data,
|
skb->data,
|
||||||
skb->len);
|
skb->len);
|
||||||
|
@ -2131,7 +2132,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
|
||||||
/* either the frame has been decrypted or will be dropped */
|
/* either the frame has been decrypted or will be dropped */
|
||||||
status->flag |= RX_FLAG_DECRYPTED;
|
status->flag |= RX_FLAG_DECRYPTED;
|
||||||
|
|
||||||
if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
|
if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
|
||||||
|
rx->sdata->dev))
|
||||||
cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
|
cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
|
||||||
skb->data, skb->len);
|
skb->data, skb->len);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue