wifi: mac80211: fix potential null pointer dereference

Felix Fietkau <nbd@xxxxxxxx> · Thu, 30 Mar 2023 11:00:01 +0200

From: Felix Fietkau <nbd@xxxxxxxx>

commit a16fc38315f2c69c520ee769976ecb9c706b8560 upstream.

rx->sta->amsdu_mesh_control is being passed to ieee80211_amsdu_to_8023s
without checking rx->sta. Since it doesn't make sense to accept A-MSDU
packets without a sta, simply add a check earlier.

Fixes: 6e4c0d0460bd ("wifi: mac80211: add a workaround for receiving non-standard mesh A-MSDU")
Signed-off-by: Felix Fietkau <nbd@xxxxxxxx>
Link: https://lore.kernel.org/r/20230330090001.60750-2-nbd@xxxxxxxx
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/mac80211/rx.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2938,7 +2938,7 @@ __ieee80211_rx_h_amsdu(struct ieee80211_
 					  data_offset, true))
 		return RX_DROP_UNUSABLE;
 
-	if (rx->sta && rx->sta->amsdu_mesh_control < 0) {
+	if (rx->sta->amsdu_mesh_control < 0) {
 		bool valid_std = ieee80211_is_valid_amsdu(skb, true);
 		bool valid_nonstd = ieee80211_is_valid_amsdu(skb, false);
 
@@ -3014,7 +3014,7 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx
 		}
 	}
 
-	if (is_multicast_ether_addr(hdr->addr1))
+	if (is_multicast_ether_addr(hdr->addr1) || !rx->sta)
 		return RX_DROP_UNUSABLE;
 
 	if (rx->key) {


Patches currently in stable-queue which might be from nbd@xxxxxxxx are

queue-6.1/wifi-cfg80211-fix-receiving-mesh-packets-without-rfc1042-header.patch
queue-6.1/wifi-mac80211-fix-potential-null-pointer-dereference.patch
queue-6.1/udp-fix-receiving-fraglist-gso-packets.patch
queue-6.1/wifi-mac80211-fix-mesh-path-discovery-based-on-unicast-packets.patch
queue-6.1/wifi-mac80211-fix-mesh-forwarding.patch
queue-6.1/wifi-mac80211-fix-receiving-a-msdu-frames-on-mesh-in.patch
queue-6.1/wifi-mac80211-fix-flow-dissection-for-forwarded-packets.patch
queue-6.1/wifi-mac80211-drop-bogus-static-keywords-in-a-msdu-rx.patch
queue-6.1/wifi-cfg80211-factor-out-bridge-tunnel-rfc1042-heade.patch
queue-6.1/wifi-mac80211-fix-receiving-mesh-packets-in-forwarding-0-networks.patch
queue-6.1/wifi-mac80211-fix-and-simplify-unencrypted-drop-chec.patch
queue-6.1/wifi-mac80211-remove-mesh-forwarding-congestion-chec.patch
queue-6.1/wifi-cfg80211-move-a-msdu-check-in-ieee80211_data_to.patch
queue-6.1/wifi-mac80211-add-a-workaround-for-receiving-non-sta.patch







