Linux kernel development work - see feature branches https://git.zx2c4.com/linux-dev/atom/net/wireless/radiotap.c?h=linus%2Fmaster 2021-08-13T07:58:25Z 2021-08-13T07:58:25Z Kees Cook keescook@chromium.org 2021-08-06T21:53:05Z urn:sha1:8c89f7b3d3f2880c57b0bc96c72ccd98fe354399 In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. The it_present member of struct ieee80211_radiotap_header is treated as a flexible array (multiple u32s can be conditionally present). In order for memcpy() to reason (or really, not reason) about the size of operations against this struct, use of bytes beyond it_present need to be treated as part of the flexible array. Add a trailing flexible array and initialize its initial index via pointer arithmetic. Cc: Johannes Berg <johannes@sipsolutions.net> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210806215305.2875621-1-keescook@chromium.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2021-08-13T07:58:25Z Kees Cook keescook@chromium.org 2021-08-06T21:51:12Z urn:sha1:5cafd3784a738eab8bbfcda17e8571050794ef32 IEEE80211_RADIOTAP_EXT has a value of 31, which means if shift was ever cast to 64-bit, the result would become sign-extended. As a matter of robustness, just replace all the open-coded shifts with BIT(). Suggested-by: David Sterba <dsterba@suse.cz> Link: https://lore.kernel.org/lkml/20210728092323.GW5047@twin.jikos.cz/ Cc: Johannes Berg <johannes@sipsolutions.net> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210806215112.2874773-1-keescook@chromium.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2020-09-28T11:53:05Z Johannes Berg johannes.berg@intel.com 2020-09-24T17:25:12Z urn:sha1:211f20415995f0c40aa91a0856b5f442154d56b2 The vendor namespaces argument isn't described here, add it. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Link: https://lore.kernel.org/r/20200924192511.2bf5cc761d3a.I9b4579ab3eebe3d7889b59eea8fa50d683611bab@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2020-04-30T19:56:37Z Mauro Carvalho Chehab mchehab+huawei@kernel.org 2020-04-30T16:04:17Z urn:sha1:66d495d0a5aecd1692f6b5e3190de14f9a31e14b - add SPDX header; - adjust title markup; - mark code blocks and literals as such; - adjust identation, whitespaces and blank lines where needed; - add to networking/index.rst. Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-02-24T08:04:41Z Lorenzo Bianconi lorenzo.bianconi83@gmail.com 2016-02-19T10:43:04Z urn:sha1:7837a7778268191dae5f6622f2b92b8b37cb8d7f Add IEEE80211_RADIOTAP_VHT entry to rtap_namespace_sizes array in order to define alignment and size of VHT info in tx radiotap Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-12-16T11:06:43Z Johannes Berg johannes.berg@intel.com 2013-12-16T11:04:36Z urn:sha1:bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 Evan Huus found (by fuzzing in wireshark) that the radiotap iterator code can access beyond the length of the buffer if the first bitmap claims an extension but then there's no data at all. Fix this. Cc: stable@vger.kernel.org Reported-by: Evan Huus <eapache@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-10-14T07:47:00Z Johannes Berg johannes.berg@intel.com 2013-10-11T12:47:05Z urn:sha1:f5563318ff1bde15b10e736e97ffce13be08bc1a When parsing an invalid radiotap header, the parser can overrun the buffer that is passed in because it doesn't correctly check 1) the minimum radiotap header size 2) the space for extended bitmaps The first issue doesn't affect any in-kernel user as they all check the minimum size before calling the radiotap function. The second issue could potentially affect the kernel if an skb is passed in that consists only of the radiotap header with a lot of extended bitmaps that extend past the SKB. In that case a read-only buffer overrun by at most 4 bytes is possible. Fix this by adding the appropriate checks to the parser. Cc: stable@vger.kernel.org Reported-by: Evan Huus <eapache@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2012-08-20T11:53:09Z Johannes Berg johannes.berg@intel.com 2012-07-05T09:32:16Z urn:sha1:48613ece3d6a2613caa376f51477435cc080f3cd Define the A-MPDU status field in radiotap, also update the radiotap parser for it and the MCS field that was apparently missed last time. Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2011-10-31T23:30:30Z Paul Gortmaker paul.gortmaker@windriver.com 2011-07-15T15:47:34Z urn:sha1:bc3b2d7fb9b014d75ebb79ba371a763dbab5e8cf These files are non modular, but need to export symbols using the macros now living in export.h -- call out the include so that things won't break when we remove the implicit presence of module.h from everywhere. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2010-10-15T19:57:34Z Johannes Berg johannes.berg@intel.com 2010-10-14T11:41:35Z urn:sha1:9ebad4ab87f2ffa6eca825327721e647c7457264 There's a bug with radiotap vendor namespace parsing if you don't register for the given namespace extensions. Fix this by passing only the unknown vendor namespaces and the registered data to frontends, but not both. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>