From patchwork Tue Jun 25 13:28:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shay Bar X-Patchwork-Id: 1122057 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=celeno.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="NfEvKsgg"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=Celeno.onmicrosoft.com header.i=@Celeno.onmicrosoft.com header.b="Rn9W+AQd"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45Y6Sb2R9kz9sCJ for ; Tue, 25 Jun 2019 23:29:03 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=LY3Tm0SpWA3r4hNc8aUWio/567AMIeYxGLKAXK0Zs/U=; b=NfEvKsggg7w4Uf TEoOgM879A4VLuB/gPn6Dm/73dG2LllmgvwRHaz3gybQBWLGvlA6BKnJQABvLZl17GrYd2ZKkz42A rAn1gk9BmVqNeAoAZ1zXQVK4YM9kqqj3XR3KQrrc4I+Xf4ol6gitWb8HCjdb5LQEgV83aE5nvijbh /Pt873tPsMONf3HGlPGaOL/WAcFLhi4aDr/4SrJw3qs6nuYmtrMOpuxvH5/bOCgg2G/1Jb14nl+2u Ea9LTc/jAecq+li1P4FQCW6N87iezYzbVS2r+3AtRUqKCdwWMG8MjgXoGrLIZmDbGGn7vXPzu/6xh viorfGqqJaET/ZKvyHsQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1hflVL-0000Ii-4D; Tue, 25 Jun 2019 13:28:59 +0000 Received: from mail-eopbgr20055.outbound.protection.outlook.com ([40.107.2.55] helo=EUR02-VE1-obe.outbound.protection.outlook.com) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hflVI-0000IC-GB for hostap@lists.infradead.org; Tue, 25 Jun 2019 13:28:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Celeno.onmicrosoft.com; s=selector1-Celeno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7U2U+Z0TyOJTWu1wuxyfUyVgjU4vd4GtpZkH7vdRMnU=; b=Rn9W+AQd2ChodRI8VmwHWqAzTeHHTkjzNNDE4MJI/p9WLiFwGSLsk/XP4tFo06vJ/KCpWOZbTkvozK+lzxSlU4F7vqUuqtt/loCBt2r5QUkRXqiNjcl/QgRVy+miL2nwSPIOEaFhkg+MR35xaTpoR9MRRWilPEONPhPs39GTD5M= Received: from AM5P192MB0226.EURP192.PROD.OUTLOOK.COM (10.175.12.18) by AM5P192MB0242.EURP192.PROD.OUTLOOK.COM (10.175.13.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.17; Tue, 25 Jun 2019 13:28:43 +0000 Received: from AM5P192MB0226.EURP192.PROD.OUTLOOK.COM ([fe80::b070:d180:bb3:5a63]) by AM5P192MB0226.EURP192.PROD.OUTLOOK.COM ([fe80::b070:d180:bb3:5a63%9]) with mapi id 15.20.2008.014; Tue, 25 Jun 2019 13:28:43 +0000 From: Shay Bar To: "hostap@lists.infradead.org" Subject: [PATCH] HE: Consider the dynamic length of the mcs_nss and ppet fields of HE Capability IE Thread-Topic: [PATCH] HE: Consider the dynamic length of the mcs_nss and ppet fields of HE Capability IE Thread-Index: AQHVK1nodJiP5jpZ706i12oJmfciFg== Date: Tue, 25 Jun 2019 13:28:43 +0000 Message-ID: <1561469284-6477-1-git-send-email-shay.bar@celeno.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [217.132.124.128] x-clientproxiedby: AM0PR01CA0030.eurprd01.prod.exchangelabs.com (2603:10a6:208:69::43) To AM5P192MB0226.EURP192.PROD.OUTLOOK.COM (2603:10a6:203:80::18) authentication-results: spf=none (sender IP is ) smtp.mailfrom=Shay.Bar@celeno.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.9.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 6c90d88d-bde5-4ff5-b2ed-08d6f9710b0f x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:AM5P192MB0242; x-ms-traffictypediagnostic: AM5P192MB0242: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:1923; x-forefront-prvs: 0079056367 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39850400004)(366004)(346002)(136003)(396003)(199004)(26244003)(26234003)(189003)(7736002)(6506007)(8676002)(186003)(2501003)(52116002)(25786009)(86362001)(476003)(2616005)(26005)(6486002)(4326008)(6436002)(14454004)(486006)(72206003)(44832011)(66476007)(66556008)(64756008)(8936002)(102836004)(68736007)(386003)(2906002)(73956011)(99286004)(66946007)(6512007)(81166006)(81156014)(1730700003)(316002)(256004)(14444005)(50226002)(6916009)(107886003)(3846002)(5660300002)(66446008)(66066001)(6116002)(2351001)(53936002)(71190400001)(71200400001)(5640700003)(36756003)(478600001)(305945005); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P192MB0242; H:AM5P192MB0226.EURP192.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: celeno.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: sVoTlVUK2CykoFLabEMgfWYDDsWVR6gDjUaFoWUgsnBmemPZcjKdSMrcHXQE0Xs+JOdE3NjQGvkcTLy5fFcDnei1vawxB/9YaIuBvsLMeDSH6M5vsYKrinjo5TuQVOmMiijJCIE+G1XwEDRLR5WL1BgSDJsTwNLD5J2vBtu7ihEY6pA8YIDitre4PHlnI3CuuOaMuvFVnVWjzAxd7mUujcUgae/Rgpy6zGeK3DNK+46Gm+TAhMwxX2xf9oRi4aRzL/h+fexaPHPDOgmISvgGKHMMIdZTY3JOlcWTVNx7u3Rlc0xhXdN9wTQoFiwikz0ugq6VO6IMf/z9TXLyi0u1Q2bgmoN/5IcGlDi2SUxRo8x29ODNi3I1hEEg4swen2IvGCJyqDsSjFDSEeYi/uNfBNBrUXkrP7jyWBsYe2aU1x8= MIME-Version: 1.0 X-OriginatorOrg: celeno.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6c90d88d-bde5-4ff5-b2ed-08d6f9710b0f X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2019 13:28:43.4555 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f313103b-4c9f-4fd3-b5cf-b97f91c4afa8 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Shay.Bar@celeno.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P192MB0242 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190625_062856_541035_ED23F5DD X-CRM114-Status: UNSURE ( 8.95 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.0 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [40.107.2.55 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Shay Bar Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org he_capab_len is always greater than sizeof(struct ieee80211_he_capabilities) because of the dynamic mcs_nss and ppet fields. Thus, the validity check in copy_sta_he_capab will always fail and he_capab will never be parsed. Fix is to validate that he_capab_len is not greater than the maximum HE Capability IE size and use the actual he_capab_len to parse the he_capab. Also, take these fields into consideration in beacon.c Signed-off-by: shay.bar --- Now including the Signed-off-by :) src/ap/beacon.c | 4 ++++ src/ap/ieee802_11_he.c | 10 ++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) -- 1.9.1 diff --git a/src/ap/beacon.c b/src/ap/beacon.c index a51b949..98efb45 100644 --- a/src/ap/beacon.c +++ b/src/ap/beacon.c @@ -397,6 +397,8 @@ static u8 * hostapd_gen_probe_resp(struct hostapd_data *hapd, #ifdef CONFIG_IEEE80211AX if (hapd->iconf->ieee80211ax) { buflen += 3 + sizeof(struct ieee80211_he_capabilities) + +HE_MAX_MCS_CAPAB_SIZE + +HE_MAX_PPET_CAPAB_SIZE + 3 + sizeof(struct ieee80211_he_operation) + 3 + sizeof(struct ieee80211_he_mu_edca_parameter_set) + 3 + sizeof(struct ieee80211_spatial_reuse); @@ -1089,6 +1091,8 @@ int ieee802_11_build_ap_params(struct hostapd_data *hapd, #ifdef CONFIG_IEEE80211AX if (hapd->iconf->ieee80211ax) { tail_len += 3 + sizeof(struct ieee80211_he_capabilities) + +HE_MAX_MCS_CAPAB_SIZE + +HE_MAX_PPET_CAPAB_SIZE + 3 + sizeof(struct ieee80211_he_operation) + 3 + sizeof(struct ieee80211_he_mu_edca_parameter_set) + 3 + sizeof(struct ieee80211_spatial_reuse); diff --git a/src/ap/ieee802_11_he.c b/src/ap/ieee802_11_he.c index a51f3fc..a7a74f0 100644 --- a/src/ap/ieee802_11_he.c +++ b/src/ap/ieee802_11_he.c @@ -323,9 +323,12 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta, enum ieee80211_op_mode opmode, const u8 *he_capab, size_t he_capab_len) { +size_t he_capab_max_len = sizeof(struct ieee80211_he_capabilities) + +HE_MAX_MCS_CAPAB_SIZE + +HE_MAX_PPET_CAPAB_SIZE; if (!he_capab || !hapd->iconf->ieee80211ax || !check_valid_he_mcs(hapd, he_capab, opmode) || - he_capab_len > sizeof(struct ieee80211_he_capabilities)) { + he_capab_len > he_capab_max_len) { sta->flags &= ~WLAN_STA_HE; os_free(sta->he_capab); sta->he_capab = NULL; @@ -333,14 +336,13 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta, } if (!sta->he_capab) { -sta->he_capab = -os_zalloc(sizeof(struct ieee80211_he_capabilities)); +sta->he_capab =os_zalloc(he_capab_len); if (!sta->he_capab) return WLAN_STATUS_UNSPECIFIED_FAILURE; } sta->flags |= WLAN_STA_HE; -os_memset(sta->he_capab, 0, sizeof(struct ieee80211_he_capabilities)); +os_memset(sta->he_capab, 0, he_capab_len); os_memcpy(sta->he_capab, he_capab, he_capab_len); sta->he_capab_len = he_capab_len;