From: Liad Kaufman <liad.kaufman@xxxxxxxxx>
The ieee80211_vendor_radiotap was read from the beginning
of the skb->data regardless of the existence of other
elements in radiotap that would cause it to move to another
position. Fix this by taking into account where it really
should be.
Signed-off-by: Liad Kaufman <liad.kaufman@xxxxxxxxx>
Signed-off-by: Luca Coelho <luciano.coelho@xxxxxxxxx>
---
net/mac80211/rx.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index bb4d71efb6fb..c97018dd17fe 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -5,7 +5,7 @@
* Copyright 2007-2010 Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
* Copyright 2013-2014 Intel Mobile Communications GmbH
* Copyright(c) 2015 - 2017 Intel Deutschland GmbH
- * Copyright (C) 2018 Intel Corporation
+ * Copyright (C) 2018-2019 Intel Corporation
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -208,7 +208,24 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
}
if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
- struct ieee80211_vendor_radiotap *rtap = (void *)skb->data;
+ struct ieee80211_vendor_radiotap *rtap;
+ int vendor_data_offset = 0;
+
+ /*
+ * The position to look at depends on the existence (or non-
+ * existence) of other elements, so take that into account...
+ */
+ if (status->flag & RX_FLAG_RADIOTAP_HE)
+ vendor_data_offset +=
+ sizeof(struct ieee80211_radiotap_he);
+ if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
+ vendor_data_offset +=
+ sizeof(struct ieee80211_radiotap_he_mu);
+ if (status->flag & RX_FLAG_RADIOTAP_LSIG)
+ vendor_data_offset +=
+ sizeof(struct ieee80211_radiotap_lsig);
+
+ rtap = (void *)&skb->data[vendor_data_offset];
/* alignment for fixed 6-byte vendor data header */
len = ALIGN(len, 2);
--
2.20.1
