Eric Dumazet
unread,Mar 30, 2021, 3:26:37 PM3/30/21Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Alaa Emad, joha...@sipsolutions.net, da...@davemloft.net, ku...@kernel.org, gre...@linuxfoundation.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com, syzbot+72b99d...@syzkaller.appspotmail.com
What was the report exactly ?
Current code does :
unsigned int fixedlen;
if (s1g_bcn) {
fixedlen = something1;
...
else {
fixedlen = something2;
...
}
So your patch does nothing.
Initial value of @fixedlen is not relevant.
Reading this code (without access to KMSAN report) I suspect the issue
is more like the following :
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 775d0c4d86c3..d815261917ff 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -209,9 +209,12 @@ static int validate_beacon_head(const struct nlattr *attr,
unsigned int len = nla_len(attr);
const struct element *elem;
const struct ieee80211_mgmt *mgmt = (void *)data;
- bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
unsigned int fixedlen, hdrlen;
+ bool s1g_bcn;
+ if (len < offsetofend(typeof(*mgmt), frame_control))
+ goto err;
+ s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
if (s1g_bcn) {
fixedlen = offsetof(struct ieee80211_ext,
u.s1g_beacon.variable);