Commit b2d03cab authored by Johannes Berg's avatar Johannes Berg
Browse files

wifi: mac80211: fix crash in beacon protection for P2P-device 



If beacon protection is active but the beacon cannot be
decrypted or is otherwise malformed, we call the cfg80211
API to report this to userspace, but that uses a netdev
pointer, which isn't present for P2P-Device. Fix this to
call it only conditionally to ensure cfg80211 won't crash
in the case of P2P-Device.

This fixes CVE-2022-42722.

Reported-by: default avatarSönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 9eaf183a ("mac80211: Report beacon protection failures to user space")
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 1833b6f4

net/mac80211/rx.c

+7 −5
Original line number Diff line number Diff line
@@ -1979,6 +1979,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) 
		if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||

		    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +

				   NUM_DEFAULT_BEACON_KEYS) {

			if (rx->sdata->dev)

				cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,

							     skb->data,

							     skb->len);
@@ -2131,7 +2132,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) 
	/* either the frame has been decrypted or will be dropped */

	status->flag |= RX_FLAG_DECRYPTED;



	if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))

	if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&

		     rx->sdata->dev))

		cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,

					     skb->data, skb->len);