wifi: mac80211_hwsim: drop short frames

While technically some control frames like ACK are shorter and end after Address 1, such frames shouldn't be forwarded through wmediumd or similar userspace, so require the full 3-address header to avoid accessing invalid memory if shorter frames are passed in. Reported-by: [email protected] Reviewed-by: Jeff Johnson <[email protected]> Signed-off-by: Johannes Berg <[email protected]>
Xilinx · Aug 22, 2023 · fba360a · fba360a
1 parent 67dfa58
commit fba360a
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
@@ -5626,14 +5626,15 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
  frame_data_len = nla_len(info->attrs[HWSIM_ATTR_FRAME]);
  frame_data = (void *)nla_data(info->attrs[HWSIM_ATTR_FRAME]);
 
+ if (frame_data_len < sizeof(struct ieee80211_hdr_3addr) ||
+ frame_data_len > IEEE80211_MAX_DATA_LEN)
+ goto err;
+
  /* Allocate new skb here */
  skb = alloc_skb(frame_data_len, GFP_KERNEL);
  if (skb == NULL)
  goto err;
 
- if (frame_data_len > IEEE80211_MAX_DATA_LEN)
- goto err;
-
  /* Copy the data */
  skb_put_data(skb, frame_data, frame_data_len);