From 8223ac199a3849257e86ec27865dc63f034b1cf1 Mon Sep 17 00:00:00 2001

From: Johannes Berg <johannes.berg@intel.com>

Date: Fri, 1 Oct 2021 21:11:08 +0200

Subject: [PATCH] mac80211: fix memory leaks with element parsing

Git-commit: 8223ac199a3849257e86ec27865dc63f034b1cf1

Patch-mainline: v5.16-rc1

References: CVE-2022-42719 bsc#1204051

My previous commit 5d24828d05f3 ("mac80211: always allocate

struct ieee802_11_elems") had a few bugs and leaked the new

allocated struct in a few error cases, fix that.

Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 net/mac80211/agg-rx.c |  3 ++-

 net/mac80211/ibss.c   | 10 +++++-----

 net/mac80211/mlme.c   | 36 ++++++++++++++++++------------------

 3 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c

index 94c65def102c..470ff0ce3dc7 100644

--- a/net/mac80211/agg-rx.c

+++ b/net/mac80211/agg-rx.c

@@ -498,13 +498,14 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,

 		elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,

 					       ies_len, true, mgmt->bssid, NULL);

 		if (!elems || elems->parse_error)

-			return;

+			goto free;

 	}

 	__ieee80211_start_rx_ba_session(sta, dialog_token, timeout,

 					start_seq_num, ba_policy, tid,

 					buf_size, true, false,

 					elems ? elems->addba_ext_ie : NULL);

+free:

 	kfree(elems);

 }

diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c

index 66b00046f0c2..0416c4d22292 100644

--- a/net/mac80211/ibss.c

+++ b/net/mac80211/ibss.c

@@ -1659,11 +1659,11 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,

 				mgmt->u.action.u.chan_switch.variable,

 				ies_len, true, mgmt->bssid, NULL);

-			if (!elems || elems->parse_error)

-				break;

-

-			ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,

-							rx_status, elems);

+			if (elems && !elems->parse_error)

+				ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,

+								skb->len,

+								rx_status,

+								elems);

 			kfree(elems);

 			break;

 		}

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c

index 0ec183a92a01..40b29cfb7cfe 100644

--- a/net/mac80211/mlme.c

+++ b/net/mac80211/mlme.c

@@ -3353,8 +3353,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,

 			bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,

 					  GFP_ATOMIC);

 		rcu_read_unlock();

-		if (!bss_ies)

-			return false;

+		if (!bss_ies) {

+			ret = false;

+			goto out;

+		}

 		bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,

 						   false, mgmt->bssid,

@@ -4331,13 +4333,11 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,

 					mgmt->u.action.u.chan_switch.variable,

 					ies_len, true, mgmt->bssid, NULL);

-			if (!elems || elems->parse_error)

-				break;

-

-			ieee80211_sta_process_chanswitch(sdata,

-						 rx_status->mactime,

-						 rx_status->device_timestamp,

-						 elems, false);

+			if (elems && !elems->parse_error)

+				ieee80211_sta_process_chanswitch(sdata,

+								 rx_status->mactime,

+								 rx_status->device_timestamp,

+								 elems, false);

 			kfree(elems);

 		} else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {

 			struct ieee802_11_elems *elems;

@@ -4357,17 +4357,17 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,

 					mgmt->u.action.u.ext_chan_switch.variable,

 					ies_len, true, mgmt->bssid, NULL);

-			if (!elems || elems->parse_error)

-				break;

+			if (elems && !elems->parse_error) {

+				/* for the handling code pretend it was an IE */

+				elems->ext_chansw_ie =

+					&mgmt->u.action.u.ext_chan_switch.data;

-			/* for the handling code pretend this was also an IE */

-			elems->ext_chansw_ie =

-				&mgmt->u.action.u.ext_chan_switch.data;

+				ieee80211_sta_process_chanswitch(sdata,

+								 rx_status->mactime,

+								 rx_status->device_timestamp,

+								 elems, false);

+			}

-			ieee80211_sta_process_chanswitch(sdata,

-						 rx_status->mactime,

-						 rx_status->device_timestamp,

-						 elems, false);

 			kfree(elems);

 		}

 		break;

-- 

2.35.3