wifi: nl80211: reject fragmented and non-inheritance elements

The underlying mac80211 code cannot deal with fragmented
elements for purposes of sorting the elements into the
association frame, so reject those inside the link. We
might want to reject them inside the assoc frame, but
they're used today for FILS, so cannot do that.

The non-inheritance element inside the links similarly
cannot be handled by mac80211, and outside the links it
makes no sense.

Reject both since using them could lead to an incorrect
implementation.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index be969f64b5c370e1d8160c51ca648172420869b0..e2d1efe0174e7661b34e519b36ffa37395df0375 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10661,6 +10661,13 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
        if (info->attrs[NL80211_ATTR_IE]) {
                req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
                req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
+
+               if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
+                                          req.ie, req.ie_len)) {
+                       GENL_SET_ERR_MSG(info,
+                                        "non-inheritance makes no sense");
+                       return -EINVAL;
+               }
        }
 
        if (info->attrs[NL80211_ATTR_USE_MFP]) {
@@ -10805,6 +10812,24 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
                                        nla_data(attrs[NL80211_ATTR_IE]);
                                req.links[link_id].elems_len =
                                        nla_len(attrs[NL80211_ATTR_IE]);
+
+                               if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
+                                                      req.links[link_id].elems,
+                                                      req.links[link_id].elems_len)) {
+                                       GENL_SET_ERR_MSG(info,
+                                                        "cannot deal with fragmentation");
+                                       err = -EINVAL;
+                                       goto free;
+                               }
+
+                               if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
+                                                          req.links[link_id].elems,
+                                                          req.links[link_id].elems_len)) {
+                                       GENL_SET_ERR_MSG(info,
+                                                        "cannot deal with non-inheritance");
+                                       err = -EINVAL;
+                                       goto free;
+                               }
                        }
                }