diff mbox series

HE: Consider the dynamic length of the mcs_nss and ppet fields of HE Capability IE

Message ID 1561469284-6477-1-git-send-email-shay.bar@celeno.com
State Superseded, archived
Headers show
Series HE: Consider the dynamic length of the mcs_nss and ppet fields of HE Capability IE | expand

Commit Message

Shay Bar June 25, 2019, 1:28 p.m. UTC 
he_capab_len is always greater than sizeof(struct ieee80211_he_capabilities) because of the dynamic mcs_nss and ppet fields.
Thus, the validity check in copy_sta_he_capab will always fail and he_capab will never be parsed.
Fix is to validate that he_capab_len is not greater than the maximum HE Capability IE size and use the actual he_capab_len to parse the he_capab.
Also, take these fields into consideration in beacon.c

Signed-off-by: shay.bar <shay.bar@celeno.com>
---
Now including the Signed-off-by :)

 src/ap/beacon.c        |  4 ++++
 src/ap/ieee802_11_he.c | 10 ++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

--
1.9.1

Comments

Sven Eckelmann June 26, 2019, 9:02 a.m. UTC | #1 
On Tuesday, 25 June 2019 15:28:43 CEST Shay Bar wrote:
> he_capab_len is always greater than sizeof(struct ieee80211_he_capabilities) because of the dynamic mcs_nss and ppet fields.
> Thus, the validity check in copy_sta_he_capab will always fail and he_capab will never be parsed.
> Fix is to validate that he_capab_len is not greater than the maximum HE Capability IE size and use the actual he_capab_len to parse the he_capab.
> Also, take these fields into consideration in beacon.c
> 
> Signed-off-by: shay.bar <shay.bar@celeno.com>

Your Signed-off-by name isn't equal to the author name (see "From: ") of this 
patch.

And at least in many projects (cannot say for sure for hostapd since it seems 
to deal quite differently with some stuff), it is helpful to have the version 
number of the submission in the prefix. You can generate the patches with a 
version number using -v 2 (for version 2). Here an example:

   git format-patch -v 2 -1

This is rather helpful when you create the summary of changes for this patch 
since the first version.

> ---
> Now including the Signed-off-by :)

What the heck are you using to send these mails? The header seems to suggest 
that you are using git-send-email to send them out but the result [1] looks 
like nothing which patch or git-am can parse. Is your company filtering 
outgoing mails to death?

    $ git am ~/Downloads/HE-Consider-the-dynamic-length-of-the-mcs_nss-and-ppet-fields-of-HE-Capability-IE.patch 
    Applying: HE: Consider the dynamic length of the mcs_nss and ppet fields of HE Capability IE
    error: patch failed: src/ap/beacon.c:397
    error: src/ap/beacon.c: patch does not apply
    error: patch failed: src/ap/ieee802_11_he.c:323
    error: src/ap/ieee802_11_he.c: patch does not apply
    Patch failed at 0001 HE: Consider the dynamic length of the mcs_nss and ppet fields of HE Capability IE
    hint: Use 'git am --show-current-patch' to see the failed patch
    When you have resolved this problem, run "git am --continue".
    If you prefer to skip this patch, run "git am --skip" instead.
    To restore the original branch and stop patching, run "git am --abort".

    $ patch -p1 -i ~/Downloads/HE-Consider-the-dynamic-length-of-the-mcs_nss-and-ppet-fields-of-HE-Capability-IE.patch
    patching file src/ap/beacon.c
    Hunk #1 FAILED at 397.
    Hunk #2 FAILED at 1089.
    2 out of 2 hunks FAILED -- saving rejects to file src/ap/beacon.c.rej
    patching file src/ap/ieee802_11_he.c
    Hunk #1 FAILED at 323.
    Hunk #2 FAILED at 333.
    2 out of 2 hunks FAILED -- saving rejects to file src/ap/ieee802_11_he.c.rej

[...]
> @@ -333,14 +336,13 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
>  }
> 
>  if (!sta->he_capab) {
> -sta->he_capab =
> -os_zalloc(sizeof(struct ieee80211_he_capabilities));
> +sta->he_capab =os_zalloc(he_capab_len);
>  if (!sta->he_capab)
>  return WLAN_STATUS_UNSPECIFIED_FAILURE;
>  }
> 
>  sta->flags |= WLAN_STA_HE;
> -os_memset(sta->he_capab, 0, sizeof(struct ieee80211_he_capabilities));
> +os_memset(sta->he_capab, 0, he_capab_len);
>  os_memcpy(sta->he_capab, he_capab, he_capab_len);
>  sta->he_capab_len = he_capab_len;

Please see https://patchwork.ozlabs.org/patch/1109462/

> ________________________________
> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any retransmission, dissemination, copying or other use of, or taking of any action in reliance upon this information is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Nothing contained herein shall be deemed as a representation, warranty or a commitment by Celeno. No warranties are expressed or implied, including, but not limited to, any implied warranties of non-infringement, merchantability and fitness for a particular purpose.
> ________________________________

This is wrong in so many ways.

Kind regards,
	Sven

[1] https://patchwork.ozlabs.org/patch/1122057/
Sven Eckelmann June 26, 2019, 9:37 a.m. UTC | #2 
On Wednesday, 26 June 2019 11:15:28 CEST Shay Bar wrote:
> To format a patch I am using: "git format-patch origin -s".
> To send it via email to hostap@lists.infradead.org, I am using: "git send-email -1".
> I am using git version 1.9.1 with this .gitconfig:
[...]
> Can you please tell me what should I change?

Start by fixing your name in the configuration. Unless your name is actually 
shay.bar and your mail server is something wrong by changing the "From: " to 
"Shay Bar <Shay.Bar@celeno.com>". In that case, get in contact with your 
admins to fix this problems on the mailserver.

And regarding broken patch format: I would guess that it is caused by some 
configuration/filter on the mail server which you use to transmit messages. 
You could for example switch to a different server to send such mails to avoid 
this.

But at least in theory, a vanilla smtp.office365.com should work [1]. But I
don't use this server and can therefore not confirm it.

Kind regards,
	Sven

[1] https://marc.info/?l=linux-spi&m=154269987700355&w=2
Sven Eckelmann June 26, 2019, 10:05 a.m. UTC | #3 
On Wednesday, 26 June 2019 11:37:02 CEST Sven Eckelmann wrote:
> On Wednesday, 26 June 2019 11:15:28 CEST Shay Bar wrote:
> > To format a patch I am using: "git format-patch origin -s".
> > To send it via email to hostap@lists.infradead.org, I am using: "git send-email -1".
> > I am using git version 1.9.1 with this .gitconfig:
> [...]
> > Can you please tell me what should I change?
[...]
> And regarding broken patch format: I would guess that it is caused by some 
> configuration/filter on the mail server which you use to transmit messages. 
> You could for example switch to a different server to send such mails to avoid 
> this.

Ah, forgot to tell you that you should also add a "from" line to your 
sendemail config.

   [sendemail]
   from = Shay Bar <cooluser@otherserver.com>

Of course with the correct information and not these examples.

Not that you start to send mails out with a faked "From:" header. And this 
also has the benefit that git-send-email will compare the From: line of the 
patch and the one in the configuration. And when they are different, it will 
add a secondary from line in the mail body with the original patch From: line 
and replace the From in the mail header with the one from .gitconfig [1]. 
git-am will then pick the second From: line when the patch is applied [2]. 
When it is done correctly, it will ensure that the author mail and the last
Signed-off-by line of the mail are equal - even when submitted using a 
mail server for a completely different domain.

Kind regards,
	Sven

[1] https://patchwork.ozlabs.org/patch/1114908/
[2] https://w1.fi/cgit/hostap/commit/?id=29f85561894d4799a902656549a5847e4febabd3
diff mbox series

Patch

diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index a51b949..98efb45 100644
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -397,6 +397,8 @@  static u8 * hostapd_gen_probe_resp(struct hostapd_data *hapd,
 #ifdef CONFIG_IEEE80211AX
 if (hapd->iconf->ieee80211ax) {
 buflen += 3 + sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE +
 3 + sizeof(struct ieee80211_he_operation) +
 3 + sizeof(struct ieee80211_he_mu_edca_parameter_set) +
 3 + sizeof(struct ieee80211_spatial_reuse);
@@ -1089,6 +1091,8 @@  int ieee802_11_build_ap_params(struct hostapd_data *hapd,
 #ifdef CONFIG_IEEE80211AX
 if (hapd->iconf->ieee80211ax) {
 tail_len += 3 + sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE +
 3 + sizeof(struct ieee80211_he_operation) +
 3 + sizeof(struct ieee80211_he_mu_edca_parameter_set) +
 3 + sizeof(struct ieee80211_spatial_reuse);
diff --git a/src/ap/ieee802_11_he.c b/src/ap/ieee802_11_he.c
index a51f3fc..a7a74f0 100644
--- a/src/ap/ieee802_11_he.c
+++ b/src/ap/ieee802_11_he.c
@@ -323,9 +323,12 @@  u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
       enum ieee80211_op_mode opmode, const u8 *he_capab,
       size_t he_capab_len)
 {
+size_t he_capab_max_len = sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE;
 if (!he_capab || !hapd->iconf->ieee80211ax ||
     !check_valid_he_mcs(hapd, he_capab, opmode) ||
-    he_capab_len > sizeof(struct ieee80211_he_capabilities)) {
+    he_capab_len > he_capab_max_len) {
 sta->flags &= ~WLAN_STA_HE;
 os_free(sta->he_capab);
 sta->he_capab = NULL;
@@ -333,14 +336,13 @@  u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
 }

 if (!sta->he_capab) {
-sta->he_capab =
-os_zalloc(sizeof(struct ieee80211_he_capabilities));
+sta->he_capab =os_zalloc(he_capab_len);
 if (!sta->he_capab)
 return WLAN_STATUS_UNSPECIFIED_FAILURE;
 }

 sta->flags |= WLAN_STA_HE;
-os_memset(sta->he_capab, 0, sizeof(struct ieee80211_he_capabilities));
+os_memset(sta->he_capab, 0, he_capab_len);
 os_memcpy(sta->he_capab, he_capab, he_capab_len);
 sta->he_capab_len = he_capab_len;