From fd17bf041b40e3dac705c4313854becbe07b7557 Mon Sep 17 00:00:00 2001

From: Johannes Berg <johannes.berg@intel.com>

Date: Tue, 28 Jun 2022 17:49:12 +0200

Subject: [PATCH] wifi: mac80211: refactor elements parsing with parameter struct

Git-commit: fd17bf041b40e3dac705c4313854becbe07b7557

Patch-mainline: v6.0-rc1

References: CVE-2022-42719 bsc#1204051

Refactor the element parsing into a version that has

a parameter struct so we can add more parameters more

easily in the future.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 net/mac80211/ieee80211_i.h | 50 ++++++++++++++++++++++++++++----

 net/mac80211/util.c        | 58 +++++++++++++++++++-------------------

 2 files changed, 74 insertions(+), 34 deletions(-)

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h

index a0743c78d171..2cf13ea4c9f7 100644

--- a/net/mac80211/ieee80211_i.h

+++ b/net/mac80211/ieee80211_i.h

@@ -2138,11 +2138,51 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,

 	ieee80211_tx_skb_tid(sdata, skb, 7);

 }

-struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,

-						    bool action,

-						    u64 filter, u32 crc,

-						    const u8 *transmitter_bssid,

-						    const u8 *bss_bssid);

+/**

+ * struct ieee80211_elems_parse_params - element parsing parameters

+ * @start: pointer to the elements

+ * @len: length of the elements

+ * @action: %true if the elements came from an action frame

+ * @filter: bitmap of element IDs to filter out while calculating

+ *	the element CRC

+ * @crc: CRC starting value

+ * @transmitter_bssid: transmitter BSSID to parse the multi-BSSID

+ *	element

+ * @bss_bssid: BSSID of the BSS we want to obtain elements for

+ *	when parsing the multi-BSSID element

+ */

+struct ieee80211_elems_parse_params {

+	const u8 *start;

+	size_t len;

+	bool action;

+	u64 filter;

+	u32 crc;

+	const u8 *transmitter_bssid;

+	const u8 *bss_bssid;

+};

+

+struct ieee802_11_elems *

+ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params);

+

+static inline struct ieee802_11_elems *

+ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,

+			   u64 filter, u32 crc,

+			   const u8 *transmitter_bssid,

+			   const u8 *bss_bssid)

+{

+	struct ieee80211_elems_parse_params params = {

+		.start = start,

+		.len = len,

+		.action = action,

+		.filter = filter,

+		.crc = crc,

+		.transmitter_bssid = transmitter_bssid,

+		.bss_bssid = bss_bssid,

+	};

+

+	return ieee802_11_parse_elems_full(&params);

+}

+

 static inline struct ieee802_11_elems *

 ieee802_11_parse_elems(const u8 *start, size_t len, bool action,

 		       const u8 *transmitter_bssid,

diff --git a/net/mac80211/util.c b/net/mac80211/util.c

index 2b2c8e1472f3..0ff09c639c50 100644

--- a/net/mac80211/util.c

+++ b/net/mac80211/util.c

@@ -1026,19 +1026,19 @@ static void ieee80211_parse_extension_element(u32 *crc,

 }

 static u32

-_ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,

-			    struct ieee802_11_elems *elems,

-			    u64 filter, u32 crc,

-			    const struct element *check_inherit)

+_ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,

+			     struct ieee802_11_elems *elems,

+			     const struct element *check_inherit)

 {

 	const struct element *elem;

-	bool calc_crc = filter != 0;

+	bool calc_crc = params->filter != 0;

 	DECLARE_BITMAP(seen_elems, 256);

+	u32 crc = params->crc;

 	const u8 *ie;

 	bitmap_zero(seen_elems, 256);

-	for_each_element(elem, start, len) {

+	for_each_element(elem, params->start, params->len) {

 		bool elem_parse_failed;

 		u8 id = elem->id;

 		u8 elen = elem->datalen;

@@ -1101,7 +1101,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,

 			break;

 		}

-		if (calc_crc && id < 64 && (filter & (1ULL << id)))

+		if (calc_crc && id < 64 && (params->filter & (1ULL << id)))

 			crc = crc32_be(crc, pos - 2, elen + 2);

 		elem_parse_failed = false;

@@ -1282,7 +1282,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,

 			elems->mesh_chansw_params_ie = (void *)pos;

 			break;

 		case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:

-			if (!action ||

+			if (!params->action ||

 			    elen < sizeof(*elems->wide_bw_chansw_ie)) {

 				elem_parse_failed = true;

 				break;

@@ -1290,7 +1290,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,

 			elems->wide_bw_chansw_ie = (void *)pos;

 			break;

 		case WLAN_EID_CHANNEL_SWITCH_WRAPPER:

-			if (action) {

+			if (params->action) {

 				elem_parse_failed = true;

 				break;

 			}

@@ -1417,7 +1417,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,

 			__set_bit(id, seen_elems);

 	}

-	if (!for_each_element_completed(elem, start, len))

+	if (!for_each_element_completed(elem, params->start, params->len))

 		elems->parse_error = true;

 	return crc;

@@ -1491,11 +1491,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,

 	return found ? profile_len : 0;

 }

-struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,

-						    bool action, u64 filter,

-						    u32 crc,

-						    const u8 *transmitter_bssid,

-						    const u8 *bss_bssid)

+struct ieee802_11_elems *

+ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)

 {

 	struct ieee802_11_elems *elems;

 	const struct element *non_inherit = NULL;

@@ -1505,15 +1502,16 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,

 	elems = kzalloc(sizeof(*elems), GFP_ATOMIC);

 	if (!elems)

 		return NULL;

-	elems->ie_start = start;

-	elems->total_len = len;

+	elems->ie_start = params->start;

+	elems->total_len = params->len;

-	nontransmitted_profile = kmalloc(len, GFP_ATOMIC);

+	nontransmitted_profile = kmalloc(params->len, GFP_ATOMIC);

 	if (nontransmitted_profile) {

 		nontransmitted_profile_len =

-			ieee802_11_find_bssid_profile(start, len, elems,

-						      transmitter_bssid,

-						      bss_bssid,

+			ieee802_11_find_bssid_profile(params->start, params->len,

+						      elems,

+						      params->transmitter_bssid,

+						      params->bss_bssid,

 						      nontransmitted_profile);

 		non_inherit =

 			cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,

@@ -1521,14 +1519,18 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,

 					       nontransmitted_profile_len);

 	}

-	crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter,

-					  crc, non_inherit);

+	elems->crc = _ieee802_11_parse_elems_full(params, elems, non_inherit);

 	/* Override with nontransmitted profile, if found */

-	if (nontransmitted_profile_len)

-		_ieee802_11_parse_elems_crc(nontransmitted_profile,

-					    nontransmitted_profile_len,

-					    action, elems, 0, 0, NULL);

+	if (nontransmitted_profile_len) {

+		struct ieee80211_elems_parse_params sub = {

+			.start = nontransmitted_profile,

+			.len = nontransmitted_profile_len,

+			.action = params->action,

+		};

+

+		_ieee802_11_parse_elems_full(&sub, elems, NULL);

+	}

 	if (elems->tim && !elems->parse_error) {

 		const struct ieee80211_tim_ie *tim_ie = elems->tim;

@@ -1550,8 +1552,6 @@ struct ieee802_11_elems *ieee802_11_parse_elems_crc(const u8 *start, size_t len,

 	kfree(nontransmitted_profile);

-	elems->crc = crc;

-

 	return elems;

 }

-- 

2.35.3