From patchwork Tue Feb 17 19:12:03 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Denis Kirjanov X-Patchwork-Id: 5841021 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 4D7BABF440 for ; Tue, 17 Feb 2015 19:08:09 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 561FB201D3 for ; Tue, 17 Feb 2015 19:08:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4079020165 for ; Tue, 17 Feb 2015 19:08:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752421AbbBQTIF (ORCPT ); Tue, 17 Feb 2015 14:08:05 -0500 Received: from mail-la0-f52.google.com ([209.85.215.52]:37349 "EHLO mail-la0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752112AbbBQTIE (ORCPT ); Tue, 17 Feb 2015 14:08:04 -0500 Received: by labpn19 with SMTP id pn19so37711913lab.4 for ; Tue, 17 Feb 2015 11:08:02 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=p1eOKCcB2AO9iCCeIjyhQ5+p5XuDghlr2DVU3zFahN4=; b=C7SSrfqh3wFiaji4rJ1sPcmppNJb9dlZJOX1kNWkfGGBTR3qZ95iS8L8aNIAgvR8zh T0/aClowGnWg9yiCVehnRys/lOhqq5o0nDx4yQ9mwmn1Q8PDF2kLvLm711eVWuShnyoT rpOHpYWLMxkj5JynzvZa1KDFagRsbG6v0IzGtYVbLxYw3VU7WdpFbGOIlFjoq2Zy+5vc o2eyolZ3ubXujJTamXMttYfDTrbGP8xY9w4NKnPkkeoBtwLP4hsGBt4T1tfYvnR/wk36 v3Mnc6PprmujsOjaUk1Je4CzlNDcnTAOfvy4dS3IieSyVZ3trPk3RbfHZlSwpGjzlMJ3 oVhw== X-Gm-Message-State: ALoCoQlj4i0NCM/IoNi1mcdRefccgsRckWXIq+E2ZRtaoj2Po1l8UX8D5wMOPVKCJV3qkUgAitu+ X-Received: by 10.152.87.50 with SMTP id u18mr30202856laz.82.1424200082298; Tue, 17 Feb 2015 11:08:02 -0800 (PST) Received: from localhost.localdomain ([87.228.41.15]) by mx.google.com with ESMTPSA id xu8sm2023490lab.21.2015.02.17.11.08.00 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 17 Feb 2015 11:08:01 -0800 (PST) From: Denis Kirjanov To: linux-wireless@vger.kernel.org Cc: Denis Kirjanov Subject: [PATCH] mac80211: rx: check for the skb_copy_bits() return value Date: Tue, 17 Feb 2015 22:12:03 +0300 Message-Id: <1424200323-5488-1-git-send-email-kda@linux-powerpc.org> X-Mailer: git-send-email 2.1.3 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Signed-off-by: Denis Kirjanov --- net/mac80211/rx.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 1101563..4d3ec94 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -685,7 +685,8 @@ static int iwl80211_get_cs_keyid(const struct ieee80211_cipher_scheme *cs, if (skb->len < hdrlen + cs->hdr_len) return -EINVAL; - skb_copy_bits(skb, hdrlen + cs->key_idx_off, &keyid, 1); + if (skb_copy_bits(skb, hdrlen + cs->key_idx_off, &keyid, 1)) + return -EFAULT; keyid &= cs->key_idx_mask; keyid >>= cs->key_idx_shift; @@ -1128,7 +1129,8 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx) if (rx->skb->len < hdrlen + 8) return RX_DROP_MONITOR; - skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2); + if (skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2)) + return RX_DROP_MONITOR; if (ethertype == rx->sdata->control_port_protocol) return RX_CONTINUE; } @@ -1614,7 +1616,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) * no need to call ieee80211_wep_get_keyidx, * it verifies a bunch of things we've done already */ - skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1); + if (skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1)) + return RX_DROP_MONITOR; keyidx = keyid >> 6; }