package/kernel/mac80211/patches/ath/302-ath10k-drop-fragments-with-multicast-DA-for-SDIO.patch

   1 From: Wen Gong <wgong@codeaurora.org>
   2 Date: Tue, 11 May 2021 20:02:54 +0200
   3 Subject: [PATCH] ath10k: drop fragments with multicast DA for SDIO
   4
   5 Fragmentation is not used with multicast frames. Discard unexpected
   6 fragments with multicast DA. This fixes CVE-2020-26145.
   7
   8 Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
   9
  10 Cc: stable@vger.kernel.org
  11 Signed-off-by: Wen Gong <wgong@codeaurora.org>
  12 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
  13 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  14 ---
  15
  16 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c
  17 +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
  18 @@ -2617,6 +2617,13 @@ static bool ath10k_htt_rx_proc_rx_frag_i
  19         rx_desc = (struct htt_hl_rx_desc *)(skb->data + tot_hdr_len);
  20         rx_desc_info = __le32_to_cpu(rx_desc->info);
  21
  22 +       hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len);
  23 +
  24 +       if (is_multicast_ether_addr(hdr->addr1)) {
  25 +               /* Discard the fragment with multicast DA */
  26 +               goto err;
  27 +       }
  28 +
  29         if (!MS(rx_desc_info, HTT_RX_DESC_HL_INFO_ENCRYPTED)) {
  30                 spin_unlock_bh(&ar->data_lock);
  31                 return ath10k_htt_rx_proc_rx_ind_hl(htt, &resp->rx_ind_hl, skb,
  32 @@ -2624,8 +2631,6 @@ static bool ath10k_htt_rx_proc_rx_frag_i
  33                                                     HTT_RX_NON_TKIP_MIC);
  34         }
  35
  36 -       hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len);
  37 -
  38         if (ieee80211_has_retry(hdr->frame_control))
  39                 goto err;
  40