From patchwork Thu Jun 10 16:19:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anirudh Rayabharam X-Patchwork-Id: 458280 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F397FC48BDF for ; Thu, 10 Jun 2021 16:19:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D1FBD613E3 for ; Thu, 10 Jun 2021 16:19:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230289AbhFJQVl (ORCPT ); Thu, 10 Jun 2021 12:21:41 -0400 Received: from sender4-of-o53.zoho.com ([136.143.188.53]:21380 "EHLO sender4-of-o53.zoho.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229823AbhFJQVl (ORCPT ); Thu, 10 Jun 2021 12:21:41 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1623341975; cv=none; d=zohomail.com; s=zohoarc; b=coZG9heMNMaVtmLhvzg39WQj9ttAHjAVR4Xin5Tl++EWjGNVjHgc6AeSB+Vk1smMrxq5KpkFXzOKp/Em7YDDMc7mglty70BFURFtxlQWlsY76wyMP4j8MIrciVkVy1rLqIKLkYN6XoE+Uy4x149sALB9uRbG6WeWyKlkGoX7PGA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623341975; h=Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Subject:To; bh=HAKm0vB87VfcW2UTN+pnBdBfKxvZ/KF9QbxznGuDeHk=; b=YJNMlInwHU9N8ys4lH9xuXLkGPlV7lqA1FhRB9HDJBeHmR0q5UAa3qNV2UFdpX6iRTxkIjBK8L03kVnbvAVWFmSpUATF6aBnkmZRnzAXkpYa8rHD97MT6ukk/A2cwsdA1R7LV1xqatg+e3xEju/BvEnGC3EfsreBzO20gs5PC5k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=anirudhrb.com; spf=pass smtp.mailfrom=mail@anirudhrb.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1623341975; s=zoho; d=anirudhrb.com; i=mail@anirudhrb.com; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Transfer-Encoding; bh=HAKm0vB87VfcW2UTN+pnBdBfKxvZ/KF9QbxznGuDeHk=; b=BA8qi6XYZGlPo9t9larjyIpSYdNf/1i1q1n064Y/76Q8WS1IPvtnMV7JBTz+EN4v REcxm2tTb2BXvkiP5tjgYm7OLxbD25WFMjFMhXjhdPzAkmaUJDiVVT7zJM9vrB9LeP6 Da7A1TLPNKuLHyOjwsiIHR1WweIArmmdFx8Eys3k= Received: from localhost.localdomain (106.51.105.43 [106.51.105.43]) by mx.zohomail.com with SMTPS id 1623341973610765.8442819280449; Thu, 10 Jun 2021 09:19:33 -0700 (PDT) From: Anirudh Rayabharam To: Johannes Berg , Kalle Valo , "David S. Miller" , Jakub Kicinski Cc: gregkh@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, Anirudh Rayabharam , syzbot+b2645b5bf1512b81fa22@syzkaller.appspotmail.com, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] mac80211_hwsim: correctly handle zero length frames Date: Thu, 10 Jun 2021 21:49:16 +0530 Message-Id: <20210610161916.9307-1-mail@anirudhrb.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-ZohoMailClient: External Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org syzbot, using KMSAN, has reported an uninit-value access in hwsim_cloned_frame_received_nl(). This is happening because frame_data_len is 0. The code doesn't detect this case and blindly tries to read the frame's header. Fix this by bailing out in case frame_data_len is 0. Reported-by: syzbot+b2645b5bf1512b81fa22@syzkaller.appspotmail.com Tested-by: syzbot+b2645b5bf1512b81fa22@syzkaller.appspotmail.com Signed-off-by: Anirudh Rayabharam --- drivers/net/wireless/mac80211_hwsim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 51ce767eaf88..ccfe40313109 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3649,7 +3649,7 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, if (skb == NULL) goto err; - if (frame_data_len > IEEE80211_MAX_DATA_LEN) + if (frame_data_len == 0 || frame_data_len > IEEE80211_MAX_DATA_LEN) goto err; /* Copy the data */