samsung_sm8750/android_kernel_samsung_sm8750
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wifi: mt76: mt7996: drop fragments with multicast or broadcast RA

Browse Source 
[ Upstream commit 80fda1cd7b0a1edd0849dc71403a070d0922118d ]

IEEE 802.11 fragmentation can only be applied to unicast frames.
Therefore, drop fragments with multicast or broadcast RA. This patch
addresses vulnerabilities such as CVE-2020-26145.

Signed-off-by: Benjamin Lin <benjamin-jw.lin@mediatek.com>
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Link: https://patch.msgid.link/20250515032952.1653494-4-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Benjamin Lin
2025-05-15 11:29:47 +08:00
committed by Greg Kroah-Hartman
parent 775fdb4042
commit 24900688ee
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/net/wireless/mediatek/mt76/mt7996/mac.c
View File

@@ -650,6 +650,14 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, struct sk_buff *skb)
status->last_amsdu = amsdu_info == MT_RXD4_LAST_AMSDU_FRAME; status->last_amsdu = amsdu_info == MT_RXD4_LAST_AMSDU_FRAME;
} }
/* IEEE 802.11 fragmentation can only be applied to unicast frames.
* Hence, drop fragments with multicast/broadcast RA.
* This check fixes vulnerabilities, like CVE-2020-26145.
*/
if ((ieee80211_has_morefrags(fc) || seq_ctrl & IEEE80211_SCTL_FRAG) &&
FIELD_GET(MT_RXD3_NORMAL_ADDR_TYPE, rxd3) != MT_RXD3_NORMAL_U2M)
return -EINVAL;
hdr_gap = (u8 *)rxd - skb->data + 2 * remove_pad; hdr_gap = (u8 *)rxd - skb->data + 2 * remove_pad;
if (hdr_trans && ieee80211_has_morefrags(fc)) { if (hdr_trans && ieee80211_has_morefrags(fc)) {
if (mt7996_reverse_frag0_hdr_trans(skb, hdr_gap)) if (mt7996_reverse_frag0_hdr_trans(skb, hdr_gap))