提交 4f139c03 编写于 作者: D Denis Kenzior 提交者: Greg Kroah-Hartman

mac80211: Don't memset RXCB prior to PAE intercept

commit c8a41c6afa27b8c3f61622dfd882b912da9d6721 upstream.

In ieee80211_deliver_skb_to_local_stack intercepts EAPoL frames if
mac80211 is configured to do so and forwards the contents over nl80211.
During this process some additional data is also forwarded, including
whether the frame was received encrypted or not.  Unfortunately just
prior to the call to ieee80211_deliver_skb_to_local_stack, skb->cb is
cleared, resulting in incorrect data being exposed over nl80211.

Fixes: 018f6fbf ("mac80211: Send control port frames over nl80211")
Cc: stable@vger.kernel.org
Signed-off-by: NDenis Kenzior <denkenz@gmail.com>
Link: https://lore.kernel.org/r/20190827224120.14545-2-denkenz@gmail.comSigned-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
上级 58f91aac
...@@ -2377,6 +2377,8 @@ static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb, ...@@ -2377,6 +2377,8 @@ static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
cfg80211_rx_control_port(dev, skb, noencrypt); cfg80211_rx_control_port(dev, skb, noencrypt);
dev_kfree_skb(skb); dev_kfree_skb(skb);
} else { } else {
memset(skb->cb, 0, sizeof(skb->cb));
/* deliver to local stack */ /* deliver to local stack */
if (rx->napi) if (rx->napi)
napi_gro_receive(rx->napi, skb); napi_gro_receive(rx->napi, skb);
...@@ -2470,8 +2472,6 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx) ...@@ -2470,8 +2472,6 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
if (skb) { if (skb) {
skb->protocol = eth_type_trans(skb, dev); skb->protocol = eth_type_trans(skb, dev);
memset(skb->cb, 0, sizeof(skb->cb));
ieee80211_deliver_skb_to_local_stack(skb, rx); ieee80211_deliver_skb_to_local_stack(skb, rx);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册