nl80211: correctly validate S1G beacon head

The S1G beacon has a different header size than regular
beacons, so adjust the beacon head validator.

Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Link: https://lore.kernel.org/r/20200908190323.15814-5-thomas@adapt-ip.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 7da4d84bcc1a0145aa8b6f4b6f284b580c986375..5d9d51cfc65343fc0b37c34d1f13f89f0253346f 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -209,14 +209,23 @@ static int validate_beacon_head(const struct nlattr *attr,
        unsigned int len = nla_len(attr);
        const struct element *elem;
        const struct ieee80211_mgmt *mgmt = (void *)data;
-       unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
-                                        u.beacon.variable);
+       bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
+       unsigned int fixedlen, hdrlen;
+
+       if (s1g_bcn) {
+               fixedlen = offsetof(struct ieee80211_ext,
+                                   u.s1g_beacon.variable);
+               hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
+       } else {
+               fixedlen = offsetof(struct ieee80211_mgmt,
+                                   u.beacon.variable);
+               hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
+       }
 
        if (len < fixedlen)
                goto err;
 
-       if (ieee80211_hdrlen(mgmt->frame_control) !=
-           offsetof(struct ieee80211_mgmt, u.beacon))
+       if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
                goto err;
 
        data += fixedlen;

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 4a9ff9ef513f920d8ec11ffdc02a44920be24478..49e7c0cbbf622eaa4972ba848adbdcb9c7f02497 100644 (file)
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -399,6 +399,11 @@ unsigned int __attribute_const__ ieee80211_hdrlen(__le16 fc)
 {
        unsigned int hdrlen = 24;
 
+       if (ieee80211_is_ext(fc)) {
+               hdrlen = 4;
+               goto out;
+       }
+
        if (ieee80211_is_data(fc)) {
                if (ieee80211_has_a4(fc))
                        hdrlen = 30;