Page MenuHomeFreeBSD
Differential D13161

net80211: sanitize input for ieee80211_output()
ClosedPublic
Actions

Authored by avos on Nov 19 2017, 6:16 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 10, 2:28 PM
Unknown Object (File)
Thu, Oct 24, 2:54 PM
Unknown Object (File)
Oct 5 2024, 11:30 AM
Unknown Object (File)
Oct 5 2024, 12:40 AM
Unknown Object (File)
Oct 2 2024, 12:24 PM
Unknown Object (File)
Oct 2 2024, 10:04 AM
Unknown Object (File)
Oct 1 2024, 9:21 PM
Unknown Object (File)
Sep 29 2024, 10:56 PM
View All 64 Files
Subscribers
imp

Details

Reviewers
adrian
Commits
rS327371: net80211: sanitize input for ieee80211_output()
Summary
  • Add some basic checks for i_fc* bits (ToDS, FromDS, MoreFrag, Protected); those are used / checked across various places in Tx path.
  • Mark injected 802.11 frame as encapsulated (just as it should be).
  • Classify 802.11 frame in a proper way (extract ether_type from LLC header for Data frames, use AC_BE queue for others (NoData / Management / Control).
  • Subtract header length from tx_bytes statistics (so it will correspond to the comment).
  • Use KASSERT for default case in DIR_MASK switch statement (all 4 values were explicitly checked, so it should not be emitted to the binary anyway).
Test Plan

Checked with RTL8188EU (AP) + Intel 6205 (STA).

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

avos created this revision.Nov 19 2017, 6:16 PM
Herald added a subscriber: imp. · View Herald TranscriptNov 19 2017, 6:16 PM
adrian added inline comments.Nov 19 2017, 11:42 PM
sys/net80211/ieee80211_output.c
687 ↗(On Diff #35464)

Don't add a new assert in packet processing path - just log an error / counter and drop. Otherwise a future omission may turn it into a DoS.

avos updated this revision to Diff 37208.Dec 29 2017, 11:36 PM

Drop KASSERT.

avos marked an inline comment as done.Dec 29 2017, 11:42 PM
avos added inline comments.
sys/net80211/ieee80211_output.c
687 ↗(On Diff #35464)

IMHO, that was not really needed - IEEE80211_FC1_DIR_MASK is 0x03 and all 4 possible values are checked before 'default' statement (which is mostly needed due to Wswitch-default (or something like that - I don't remember exactly) compiler warning category).

adrian added a comment.Dec 30 2017, 12:17 AM

commit away! thanks!

This revision was not accepted when it landed; it landed in state Needs Review.Dec 30 2017, 12:40 AM
Closed by commit rS327371: net80211: sanitize input for ieee80211_output() (authored by avos). · Explain Why
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
sys/
net80211/
143 lines

Diff 37215

View Options

head/sys/net80211/ieee80211_output.c

Loading...