Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
ea34ce11c1 | ||
|
|
fa9a932fdb | ||
|
|
e0bb4b7a78 |
@@ -1,4 +1,4 @@
|
||||
src-git-full packages https://git.openwrt.org/feed/packages.git^82629531b73b21b63d0d820419c419019ef96830
|
||||
src-git-full luci https://git.openwrt.org/project/luci.git^3923199f8e0e746929a8804c43f9064283b9f785
|
||||
src-git-full packages https://git.openwrt.org/feed/packages.git^0b16e3f359fe9d015861596d63c5bde4c56daa2e
|
||||
src-git-full luci https://git.openwrt.org/project/luci.git^afd001293996ee6557ea14b438d95b41bd75f132
|
||||
src-git-full routing https://git.openwrt.org/feed/routing.git^25e76489c83cfcee61e36a491896e1e9bfc3ec13
|
||||
src-git-full telephony https://git.openwrt.org/feed/telephony.git^89cc8fccf757614eac1d45a684f4971393e0d984
|
||||
|
||||
@@ -23,13 +23,13 @@ PKG_CONFIG_DEPENDS += \
|
||||
sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
|
||||
|
||||
VERSION_NUMBER:=$(call qstrip,$(CONFIG_VERSION_NUMBER))
|
||||
VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),21.02.4)
|
||||
VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),21.02.5)
|
||||
|
||||
VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
|
||||
VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r16685-82ebc173b3)
|
||||
VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r16688-fa9a932fdb)
|
||||
|
||||
VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
|
||||
VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),https://downloads.openwrt.org/releases/21.02.4)
|
||||
VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),https://downloads.openwrt.org/releases/21.02.5)
|
||||
|
||||
VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
|
||||
VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)
|
||||
|
||||
@@ -183,7 +183,7 @@ if VERSIONOPT
|
||||
config VERSION_REPO
|
||||
string
|
||||
prompt "Release repository"
|
||||
default "https://downloads.openwrt.org/releases/21.02.4"
|
||||
default "https://downloads.openwrt.org/releases/21.02.5"
|
||||
help
|
||||
This is the repository address embedded in the image, it defaults
|
||||
to the trunk snapshot repo; the url may contain the following placeholders:
|
||||
|
||||
@@ -0,0 +1,52 @@
|
||||
From: Johannes Berg <johannes.berg@intel.com>
|
||||
Date: Wed, 5 Oct 2022 21:24:10 +0200
|
||||
Subject: [PATCH] wifi: mac80211: fix crash in beacon protection for
|
||||
P2P-device
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.
|
||||
|
||||
If beacon protection is active but the beacon cannot be
|
||||
decrypted or is otherwise malformed, we call the cfg80211
|
||||
API to report this to userspace, but that uses a netdev
|
||||
pointer, which isn't present for P2P-Device. Fix this to
|
||||
call it only conditionally to ensure cfg80211 won't crash
|
||||
in the case of P2P-Device.
|
||||
|
||||
This fixes CVE-2022-42722.
|
||||
|
||||
Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
|
||||
Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space")
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
---
|
||||
|
||||
--- a/net/mac80211/rx.c
|
||||
+++ b/net/mac80211/rx.c
|
||||
@@ -1972,10 +1972,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_
|
||||
|
||||
if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
|
||||
mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
|
||||
- NUM_DEFAULT_BEACON_KEYS) {
|
||||
- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
|
||||
- skb->data,
|
||||
- skb->len);
|
||||
+ NUM_DEFAULT_BEACON_KEYS) {
|
||||
+ if (rx->sdata->dev)
|
||||
+ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
|
||||
+ skb->data,
|
||||
+ skb->len);
|
||||
return RX_DROP_MONITOR; /* unexpected BIP keyidx */
|
||||
}
|
||||
|
||||
@@ -2123,7 +2124,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_
|
||||
/* either the frame has been decrypted or will be dropped */
|
||||
status->flag |= RX_FLAG_DECRYPTED;
|
||||
|
||||
- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
|
||||
+ if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
|
||||
+ rx->sdata->dev))
|
||||
cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
|
||||
skb->data, skb->len);
|
||||
|
||||
@@ -0,0 +1,44 @@
|
||||
--- a/net/mac80211/util.c
|
||||
+++ b/net/mac80211/util.c
|
||||
@@ -1406,6 +1406,7 @@ static size_t ieee802_11_find_bssid_prof
|
||||
if (!bss_bssid || !transmitter_bssid)
|
||||
return profile_len;
|
||||
|
||||
+ return 0;
|
||||
for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
|
||||
if (elem->datalen < 2)
|
||||
continue;
|
||||
--- a/net/wireless/scan.c
|
||||
+++ b/net/wireless/scan.c
|
||||
@@ -1982,6 +1982,7 @@ static const struct element
|
||||
const struct element *next_mbssid;
|
||||
const struct element *next_sub;
|
||||
|
||||
+ return NULL;
|
||||
next_mbssid = cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID,
|
||||
mbssid_end,
|
||||
ielen - (mbssid_end - ie));
|
||||
@@ -2063,6 +2064,7 @@ static void cfg80211_parse_mbssid_data(s
|
||||
u16 capability;
|
||||
struct cfg80211_bss *bss;
|
||||
|
||||
+ return;
|
||||
if (!non_tx_data)
|
||||
return;
|
||||
if (!cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen))
|
||||
@@ -2221,6 +2223,7 @@ cfg80211_update_notlisted_nontrans(struc
|
||||
const struct cfg80211_bss_ies *old;
|
||||
u8 cpy_len;
|
||||
|
||||
+ return;
|
||||
lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
|
||||
|
||||
ie = mgmt->u.probe_resp.variable;
|
||||
@@ -2436,6 +2439,7 @@ cfg80211_inform_bss_frame_data(struct wi
|
||||
|
||||
res = cfg80211_inform_single_bss_frame_data(wiphy, data, mgmt,
|
||||
len, gfp);
|
||||
+ return res;
|
||||
if (!res || !wiphy->support_mbssid ||
|
||||
!cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen))
|
||||
return res;
|
||||
@@ -1 +1 @@
|
||||
1665330221
|
||||
1665688598
|
||||
|
||||
Reference in New Issue
Block a user