[2/5] ath11k: Drop MSDU with length error in DP rx path

Message ID	20210913180246.193388-2-jouni@codeaurora.org
State	New
Headers	show Return-Path: <linux-wireless-owner@kernel.org> MIME-Version: References: In-Reply-To: Message-Id: Date: Subject: Cc: To: From: Sender; bh=WrTk85o6jVDyoyJoxKXGeRyBbmUALZxD8Ub4V/fI9HA=; b=jzmujV69AXfMW0EU8CyzPEbHIwAD2XSU396rPZrKn6OlnhDA9BO0XX/esXSh+bn4mgWDVnod 6F1fjSq8vr9MaXjLVrDQt0pBey4QFB2HCCI5uXtI9Bq3EVBkLUevSFuJSg4LKyCwLOiosBzL rAdZ+5uvrg+3xJg9KiWR1cwllKg= Sender: jouni=codeaurora.org@mg.codeaurora.org sender: jouni) by smtp.codeaurora.org (Postfix) with ESMTPSA id CDEA1C4360D; Mon, 13 Sep 2021 18:02:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 smtp.codeaurora.org CDEA1C4360D From: Jouni Malinen <jouni@codeaurora.org> To: Kalle Valo <kvalo@codeaurora.org> Cc: ath11k@lists.infradead.org, linux-wireless@vger.kernel.org, Baochen Qiang <bqiang@codeaurora.org>, Jouni Malinen <jouni@codeaurora.org> Subject: [PATCH 2/5] ath11k: Drop MSDU with length error in DP rx path Date: Mon, 13 Sep 2021 21:02:43 +0300 Message-Id: <20210913180246.193388-2-jouni@codeaurora.org> In-Reply-To: <20210913180246.193388-1-jouni@codeaurora.org> References: <20210913180246.193388-1-jouni@codeaurora.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[1/5] ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets \| expand [1/5] ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets [2/5] ath11k: Drop MSDU with length error in DP rx path [3/5] ath11k: Fix inaccessible debug registers [4/5] ath11k: Fix memory leak in ath11k_qmi_driver_event_work [5/5] ath11k: Handle MSI enablement during rmmod and SSR

Message ID

20210913180246.193388-2-jouni@codeaurora.org

State

New

Headers

Sender: jouni=codeaurora.org@mg.codeaurora.org
DMARC-Filter: OpenDMARC Filter v1.4.1 smtp.codeaurora.org CDEA1C4360D
From: Jouni Malinen <jouni@codeaurora.org>
To: Kalle Valo <kvalo@codeaurora.org>
Cc: ath11k@lists.infradead.org, linux-wireless@vger.kernel.org,
	Baochen Qiang <bqiang@codeaurora.org>,
	Jouni Malinen <jouni@codeaurora.org>
Subject: [PATCH 2/5] ath11k: Drop MSDU with length error in DP rx path
Date: Mon, 13 Sep 2021 21:02:43 +0300
Message-Id: <20210913180246.193388-2-jouni@codeaurora.org>
In-Reply-To: <20210913180246.193388-1-jouni@codeaurora.org>
References: <20210913180246.193388-1-jouni@codeaurora.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[1/5] ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets | expand

Commit Message

Jouni Malinen Sept. 13, 2021, 6:02 p.m. UTC

From: Baochen Qiang <bqiang@codeaurora.org>

There are MSDUs whose length are invalid. For example,
attackers may inject on purpose truncated A-MSDUs with
invalid MSDU length.

Such MSDUs are marked with an err bit set in rx attention
tlvs, so we can check and drop them.

Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1

Signed-off-by: Baochen Qiang <bqiang@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 drivers/net/wireless/ath/ath11k/dp_rx.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

Comments

Kalle Valo Sept. 28, 2021, 1:34 p.m. UTC | #1

Jouni Malinen <jouni@codeaurora.org> wrote:

> There are MSDUs whose length are invalid. For example,

> attackers may inject on purpose truncated A-MSDUs with

> invalid MSDU length.

> 

> Such MSDUs are marked with an err bit set in rx attention

> tlvs, so we can check and drop them.

> 

> Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1

> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1

> 

> Signed-off-by: Baochen Qiang <bqiang@codeaurora.org>

> Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>


3 patches applied to ath-next branch of ath.git, thanks.

cd18ed4cf805 ath11k: Drop MSDU with length error in DP rx path
8a0b899f169d ath11k: Fix inaccessible debug registers
72de799aa9e3 ath11k: Fix memory leak in ath11k_qmi_driver_event_work

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/20210913180246.193388-2-jouni@codeaurora.org/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index 0c27eead3e02..c50f70913583 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -142,6 +142,18 @@  static u32 ath11k_dp_rx_h_attn_mpdu_err(struct rx_attention *attn)
 	return errmap;
 }
 
+static bool ath11k_dp_rx_h_attn_msdu_len_err(struct ath11k_base *ab,
+					     struct hal_rx_desc *desc)
+{
+	struct rx_attention *rx_attention;
+	u32 errmap;
+
+	rx_attention = ath11k_dp_rx_get_attention(ab, desc);
+	errmap = ath11k_dp_rx_h_attn_mpdu_err(rx_attention);
+
+	return errmap & DP_RX_MPDU_ERR_MSDU_LEN;
+}
+
 static u16 ath11k_dp_rx_h_msdu_start_msdu_len(struct ath11k_base *ab,
 					      struct hal_rx_desc *desc)
 {
@@ -2525,6 +2537,12 @@  static int ath11k_dp_rx_process_msdu(struct ath11k *ar,
 	}
 
 	rx_desc = (struct hal_rx_desc *)msdu->data;
+	if (ath11k_dp_rx_h_attn_msdu_len_err(ab, rx_desc)) {
+		ath11k_warn(ar->ab, "msdu len not valid\n");
+		ret = -EIO;
+		goto free_out;
+	}
+
 	lrx_desc = (struct hal_rx_desc *)last_buf->data;
 	rx_attention = ath11k_dp_rx_get_attention(ab, lrx_desc);
 	if (!ath11k_dp_rx_h_attn_msdu_done(rx_attention)) {

[2/5] ath11k: Drop MSDU with length error in DP rx path

Commit Message

Comments

Patch