From patchwork Tue Aug 13 13:10:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 1146351 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=narfation.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="h8FYkDsS"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=narfation.org header.i=@narfation.org header.b="OTOsPGzx"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 467Cnb5GKrz9sND for ; Tue, 13 Aug 2019 23:13:07 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=6gB49ql5zDk+9j8I9kBf82W6M8tIXQWfKWXAl02m+/Q=; b=h8FYkDsSt7RFTf EL+3nwWzzHfCS8xjVvRwfK/urKsQ3Z2cs+lv/fkTzvI9qeuqZjyUbDS+EamChFJJ2UDdf0EG1zBXS oeFF2YLiz1m8kB1UbTtTB+vl7P7oFjTtwWYbAJlpaWsvqBfF/6sjAi4RrH6qMHSC6mzjkk++dXilt NHnRGxVTJ+D1bU65v5i04Qy++CsnhCXlvxGRMKVUzirzcW5jv/wWhEC7ZEO7saN+XsLM5DfZjkGMs lKxyYXbd8lVqHI3NaS4GTMXxdUGallAf5mYOuCVOWU3dYN4pvnbOIgzohZAwkw0JD95BnN1MC24CN 5wfcIlzzISIyf+YYrqgw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1hxWbo-0006HX-Gs; Tue, 13 Aug 2019 13:13:04 +0000 Received: from dvalin.narfation.org ([213.160.73.56]) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hxWbl-0006El-IC for hostap@lists.infradead.org; Tue, 13 Aug 2019 13:13:03 +0000 Received: from sven-desktop.home.narfation.org (p200300C59716A6EC000000000000051D.dip0.t-ipconnect.de [IPv6:2003:c5:9716:a6ec::51d]) by dvalin.narfation.org (Postfix) with ESMTPSA id 1FEB22006F; Tue, 13 Aug 2019 13:12:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1565701977; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=KMu2U0LStnou9w2e6uPOLu8hF16L31wydfI7c12gfqE=; b=OTOsPGzxWQWR3Q6V4y3tTCaM1bJG0Kq3z9jPkTIoRVJ65z45anfXxDMlWFMYISkLUbrZDh B+VAqII6zlHBNeGRNXcAWg/rQuvMk+B9DrLxm4JhK7wgLoHiwwMLwS2BcHn+Vmi5upHoik l6iRtoNEJqcZ90utruEii3dmMz9pcko= From: Sven Eckelmann To: hostap@lists.infradead.org Subject: [PATCH v3] HE: fix ieee80211_he_capabilities size Date: Tue, 13 Aug 2019 15:10:46 +0200 Message-Id: <20190813131046.16270-1-sven@narfation.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1565701977; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=KMu2U0LStnou9w2e6uPOLu8hF16L31wydfI7c12gfqE=; b=nGY1zSIT7VDfy7H/kEXsV2N64M4PovOHroRqk2fq21ggSZnQM2wT4FOrEq1fJgT0h20UgF gwnqQ/4Z8l+g9Bp120IWbq2EuXgQi5bt8DAovgBoALoMzuYI0K1o5126ekZLRt+TLrTfmJ OGdj04hOqS193BC6Z2hVDudGX6lTPwg= ARC-Seal: i=1; s=20121; d=narfation.org; t=1565701977; a=rsa-sha256; cv=none; b=hsCCQq36OfndrIUVNApM8Nel9dvcL8xH/A1CpG291lOLFcGVaF8lDsAKu5hUiKzP5AXur+ 4hKeKaLBmTBWMFRzdxXbKhJ6RPn6PXL2soAhfo7jW0y1Qegrkgl+PctONyTZoqMj9XKHn0 LS13sKM4Eu6ZtI4O+q9yjnfgw4oijus= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=sven smtp.mailfrom=sven@narfation.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190813_061301_920835_D29FB9AB X-CRM114-Status: GOOD ( 11.17 ) X-Spam-Score: -2.5 (--) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-2.5 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [213.160.73.56 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sven Eckelmann , John Crispin Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: John Crispin Set the max value of optional bytes inside the data structure. This requires us to calculate the actually used size when copying the HE capabilities and generating the IE. Signed-off-by: John Crispin Signed-off-by: Sven Eckelmann --- v3: * leave the original memset call because we might have more memory than we actually use for the current he_capab * re-add size check for he_capab_len * re-add static allocation of sta->he_capab to avoid uncertainty when calling copy_sta_he_capab a second time with different he_capab_len (possible buffer overflow) v2: * drop memset() call --- src/ap/ieee802_11_he.c | 31 ++++++++++++++++++++++++++++++- src/common/ieee802_11_defs.h | 2 +- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/ap/ieee802_11_he.c b/src/ap/ieee802_11_he.c index bb6083e8c..b78d8ff1c 100644 --- a/src/ap/ieee802_11_he.c +++ b/src/ap/ieee802_11_he.c @@ -43,6 +43,34 @@ static u8 ieee80211_he_ppet_size(u8 ppe_thres_hdr, const u8 *phy_cap_info) return sz; } +static u8 ieee80211_he_mcs_set_size(const u8 *phy_cap_info) +{ + u8 sz = 4; + + if (phy_cap_info[HE_PHYCAP_CHANNEL_WIDTH_SET_IDX] & HE_PHYCAP_CHANNEL_WIDTH_SET_80PLUS80MHZ_IN_5G) + sz += 4; + if (phy_cap_info[HE_PHYCAP_CHANNEL_WIDTH_SET_IDX] & HE_PHYCAP_CHANNEL_WIDTH_SET_160MHZ_IN_5G) + sz += 4; + + return sz; +} + +static int ieee80211_check_he_cap_size(const u8 *buf, int len) +{ + struct ieee80211_he_capabilities *cap = (struct ieee80211_he_capabilities *)buf; + int cap_len = sizeof(*cap) - sizeof(cap->optional); + + if (len < cap_len) + return 1; + + cap_len += ieee80211_he_mcs_set_size(cap->he_phy_capab_info); + if (len < cap_len) + return 1; + + cap_len += ieee80211_he_ppet_size(buf[cap_len], cap->he_phy_capab_info); + + return (len != cap_len); +} u8 * hostapd_eid_he_capab(struct hostapd_data *hapd, u8 *eid, enum ieee80211_op_mode opmode) @@ -56,7 +84,7 @@ u8 * hostapd_eid_he_capab(struct hostapd_data *hapd, u8 *eid, if (!mode) return eid; - ie_size = sizeof(struct ieee80211_he_capabilities); + ie_size = sizeof(*cap) - sizeof(cap->optional); ppet_size = ieee80211_he_ppet_size(mode->he_capab[opmode].ppet[0], mode->he_capab[opmode].phy_cap); @@ -324,6 +352,7 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta, { if (!he_capab || !hapd->iconf->ieee80211ax || !check_valid_he_mcs(hapd, he_capab, opmode) || + ieee80211_check_he_cap_size(he_capab, he_capab_len) || he_capab_len > sizeof(struct ieee80211_he_capabilities)) { sta->flags &= ~WLAN_STA_HE; os_free(sta->he_capab); diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h index b0aa913bb..214ba0e0f 100644 --- a/src/common/ieee802_11_defs.h +++ b/src/common/ieee802_11_defs.h @@ -2109,7 +2109,7 @@ struct ieee80211_he_capabilities { u8 he_phy_capab_info[11]; /* Followed by 4, 8, or 12 octets of Supported HE-MCS And NSS Set field * and optional variable length PPE Thresholds field. */ - u8 optional[]; + u8 optional[37]; } STRUCT_PACKED; struct ieee80211_he_operation {