projects / openwrt / openwrt.git / blob
? search:


0bdbed78d50004deea66dac8f422ce2c87215d40
[openwrt/openwrt.git] / package / kernel / mac80211 / patches / ath / 305-ath10k-Validate-first-subframe-of-A-MSDU-before-proc.patch
1 From: Sriram R <srirrama@codeaurora.org>
2 Date: Tue, 11 May 2021 20:02:57 +0200
3 Subject: [PATCH] ath10k: Validate first subframe of A-MSDU before
4 processing the list
5
6 In certain scenarios a normal MSDU can be received as an A-MSDU when
7 the A-MSDU present bit of a QoS header gets flipped during reception.
8 Since this bit is unauthenticated, the hardware crypto engine can pass
9 the frame to the driver without any error indication.
10
11 This could result in processing unintended subframes collected in the
12 A-MSDU list. Hence, validate A-MSDU list by checking if the first frame
13 has a valid subframe header.
14
15 Comparing the non-aggregated MSDU and an A-MSDU, the fields of the first
16 subframe DA matches the LLC/SNAP header fields of a normal MSDU.
17 In order to avoid processing such frames, add a validation to
18 filter such A-MSDU frames where the first subframe header DA matches
19 with the LLC/SNAP header pattern.
20
21 Tested-on: QCA9984 hw1.0 PCI 10.4-3.10-00047
22
23 Cc: stable@vger.kernel.org
24 Signed-off-by: Sriram R <srirrama@codeaurora.org>
25 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
26 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
27 ---
28
29 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c
30 +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
31 @@ -2108,14 +2108,62 @@ static void ath10k_htt_rx_h_unchain(stru
32 ath10k_unchain_msdu(amsdu, unchain_cnt);
33 }
34
35 +static bool ath10k_htt_rx_validate_amsdu(struct ath10k *ar,
36 + struct sk_buff_head *amsdu)
37 +{
38 + u8 *subframe_hdr;
39 + struct sk_buff *first;
40 + bool is_first, is_last;
41 + struct htt_rx_desc *rxd;
42 + struct ieee80211_hdr *hdr;
43 + size_t hdr_len, crypto_len;
44 + enum htt_rx_mpdu_encrypt_type enctype;
45 + int bytes_aligned = ar->hw_params.decap_align_bytes;
46 +
47 + first = skb_peek(amsdu);
48 +
49 + rxd = (void *)first->data - sizeof(*rxd);
50 + hdr = (void *)rxd->rx_hdr_status;
51 +
52 + is_first = !!(rxd->msdu_end.common.info0 &
53 + __cpu_to_le32(RX_MSDU_END_INFO0_FIRST_MSDU));
54 + is_last = !!(rxd->msdu_end.common.info0 &
55 + __cpu_to_le32(RX_MSDU_END_INFO0_LAST_MSDU));
56 +
57 + /* Return in case of non-aggregated msdu */
58 + if (is_first && is_last)
59 + return true;
60 +
61 + /* First msdu flag is not set for the first msdu of the list */
62 + if (!is_first)
63 + return false;
64 +
65 + enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0),
66 + RX_MPDU_START_INFO0_ENCRYPT_TYPE);
67 +
68 + hdr_len = ieee80211_hdrlen(hdr->frame_control);
69 + crypto_len = ath10k_htt_rx_crypto_param_len(ar, enctype);
70 +
71 + subframe_hdr = (u8 *)hdr + round_up(hdr_len, bytes_aligned) +
72 + crypto_len;
73 +
74 + /* Validate if the amsdu has a proper first subframe.
75 + * There are chances a single msdu can be received as amsdu when
76 + * the unauthenticated amsdu flag of a QoS header
77 + * gets flipped in non-SPP AMSDU's, in such cases the first
78 + * subframe has llc/snap header in place of a valid da.
79 + * return false if the da matches rfc1042 pattern
80 + */
81 + if (ether_addr_equal(subframe_hdr, rfc1042_header))
82 + return false;
83 +
84 + return true;
85 +}
86 +
87 static bool ath10k_htt_rx_amsdu_allowed(struct ath10k *ar,
88 struct sk_buff_head *amsdu,
89 struct ieee80211_rx_status *rx_status)
90 {
91 - /* FIXME: It might be a good idea to do some fuzzy-testing to drop
92 - * invalid/dangerous frames.
93 - */
94 -
95 if (!rx_status->freq) {
96 ath10k_dbg(ar, ATH10K_DBG_HTT, "no channel configured; ignoring frame(s)!\n");
97 return false;
98 @@ -2126,6 +2174,11 @@ static bool ath10k_htt_rx_amsdu_allowed(
99 return false;
100 }
101
102 + if (!ath10k_htt_rx_validate_amsdu(ar, amsdu)) {
103 + ath10k_dbg(ar, ATH10K_DBG_HTT, "invalid amsdu received\n");
104 + return false;
105 + }
106 +
107 return true;
108 }
109
OpenWrt Source Repository