| Message ID | 20250416021903.3178962-1-nithyanantham.paramasivam@oss.qualcomm.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [ath-next,v2] wifi: ath12k: Add MSDU length validation for tkip mic error error | expand |
On 4/15/2025 7:19 PM, Nithyanantham Paramasivam wrote:
> From: P Praneesh <quic_ppranees@quicinc.com>
In the subject: s/tkip mic error error/TKIP MIC error/
no need to repost just for this; i can make that cleanup in 'pending'
On 4/16/2025 7:49 AM, Nithyanantham Paramasivam wrote: > From: P Praneesh <quic_ppranees@quicinc.com> > > In the WBM error path, while processing TKIP MIC errors, MSDU length > is fetched from the hal_rx_desc's msdu_end. This MSDU length is > directly passed to skb_put without validation. In stress test > scenarios, the WBM error ring may receive invalid descriptors, which > could lead to an invalid MSDU length. > > To fix this, add a check to drop the skb when the calculated MSDU > length is greater than the skb size. > > Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 > Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 > > Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") > Signed-off-by: P Praneesh <quic_ppranees@quicinc.com> > Signed-off-by: Nithyanantham Paramasivam <nithyanantham.paramasivam@oss.qualcomm.com> Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
On Wed, 16 Apr 2025 07:49:03 +0530, Nithyanantham Paramasivam wrote: > In the WBM error path, while processing TKIP MIC errors, MSDU length > is fetched from the hal_rx_desc's msdu_end. This MSDU length is > directly passed to skb_put without validation. In stress test > scenarios, the WBM error ring may receive invalid descriptors, which > could lead to an invalid MSDU length. > > To fix this, add a check to drop the skb when the calculated MSDU > length is greater than the skb size. > > [...] Applied, thanks! [1/1] wifi: ath12k: Add MSDU length validation for tkip mic error error commit: 763216fe6c5df95d122c71ef34c342427c987820 Best regards,
diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c index 96785d60d671..52ccafefd35e 100644 --- a/drivers/net/wireless/ath/ath12k/dp_rx.c +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c @@ -3869,6 +3869,15 @@ static bool ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu, l3pad_bytes = ath12k_dp_rx_h_l3pad(ab, desc); msdu_len = ath12k_dp_rx_h_msdu_len(ab, desc); + + if ((hal_rx_desc_sz + l3pad_bytes + msdu_len) > DP_RX_BUFFER_SIZE) { + ath12k_dbg(ab, ATH12K_DBG_DATA, + "invalid msdu len in tkip mic err %u\n", msdu_len); + ath12k_dbg_dump(ab, ATH12K_DBG_DATA, NULL, "", desc, + sizeof(*desc)); + return true; + } + skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len); skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes);