[Bionic,1/2] mac80211: drop robust management frames from unknown TA
diff mbox series

Message ID 20190806100633.26677-2-jesse.sung@canonical.com
State New
Headers show
Series
  • Fix for CVE-2019-0136
Related show

Commit Message

Wen-chien Jesse Sung Aug. 6, 2019, 10:06 a.m. UTC
From: Johannes Berg <johannes.berg@intel.com>

BugLink: https://launchpad.net/bugs/1839105

When receiving a robust management frame, drop it if we don't have
rx->sta since then we don't have a security association and thus
couldn't possibly validate the frame.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

CVE-2019-0136

(cherry picked from commit 588f7d39b3592a36fb7702ae3b8bdd9be4621e2f)
Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com>
---
 net/mac80211/rx.c | 2 ++
 1 file changed, 2 insertions(+)

Patch
diff mbox series

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 9e19ddbcb06e..ec34cab43642 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3586,6 +3586,8 @@  static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
 	case NL80211_IFTYPE_STATION:
 		if (!bssid && !sdata->u.mgd.use_4addr)
 			return false;
+		if (ieee80211_is_robust_mgmt_frame(skb) && !rx->sta)
+			return false;
 		if (multicast)
 			return true;
 		return ether_addr_equal(sdata->vif.addr, hdr->addr1);