lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240815-ieee80211_convert_to_unicast-v1-1-648f0c195474@quicinc.com>
Date: Thu, 15 Aug 2024 09:18:30 -0700
From: Jeff Johnson <quic_jjohnson@...cinc.com>
To: Johannes Berg <johannes@...solutions.net>,
        "David S. Miller"
	<davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski
	<kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Michael Braun
	<michael-dev@...i-braun.de>
CC: Harsh Kumar Bijlani <hbijlani@....qualcomm.com>,
        Kalyan Tallapragada
	<ktallapr@....qualcomm.com>,
        Jyothi Chukkapalli <jchukkap@....qualcomm.com>,
        Anirban Sirkhell <anirban@....qualcomm.com>,
        Johannes Berg
	<johannes.berg@...el.com>,
        <linux-wireless@...r.kernel.org>, <netdev@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <ath12k@...ts.infradead.org>,
        Jeff Johnson <quic_jjohnson@...cinc.com>
Subject: [PATCH] wifi: mac80211: Fix ieee80211_convert_to_unicast() logic

The current logic in ieee80211_convert_to_unicast() uses skb_clone()
to obtain an skb for each individual destination of a multicast
frame, and then updates the destination address in the cloned skb's
data buffer before placing that skb on the provided queue.

This logic is flawed since skb_clone() shares the same data buffer
with the original and the cloned skb, and hence each time the
destination address is updated, it overwrites the previous destination
address in this shared buffer. As a result, due to the special handing
of the first valid destination, all of the skbs will eventually be
sent to that first destination.

Fix this issue by using skb_copy() instead of skb_clone(). This will
result in a duplicate data buffer being allocated for each
destination, and hence each skb will be transmitted to the proper
destination.

Fixes: ebceec860fc3 ("mac80211: multicast to unicast conversion")
Signed-off-by: Jeff Johnson <quic_jjohnson@...cinc.com>
---
 net/mac80211/tx.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 72a9ba8bc5fd..0ee1c7df424c 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -4408,7 +4408,7 @@ ieee80211_convert_to_unicast(struct sk_buff *skb, struct net_device *dev,
 	struct ieee80211_local *local = sdata->local;
 	const struct ethhdr *eth = (struct ethhdr *)skb->data;
 	struct sta_info *sta, *first = NULL;
-	struct sk_buff *cloned_skb;
+	struct sk_buff *copied_skb;
 
 	rcu_read_lock();
 
@@ -4423,14 +4423,14 @@ ieee80211_convert_to_unicast(struct sk_buff *skb, struct net_device *dev,
 			first = sta;
 			continue;
 		}
-		cloned_skb = skb_clone(skb, GFP_ATOMIC);
-		if (!cloned_skb)
+		copied_skb = skb_copy(skb, GFP_ATOMIC);
+		if (!copied_skb)
 			goto multicast;
-		if (unlikely(ieee80211_change_da(cloned_skb, sta))) {
-			dev_kfree_skb(cloned_skb);
+		if (unlikely(ieee80211_change_da(copied_skb, sta))) {
+			dev_kfree_skb(copied_skb);
 			goto multicast;
 		}
-		__skb_queue_tail(queue, cloned_skb);
+		__skb_queue_tail(queue, copied_skb);
 	}
 
 	if (likely(first)) {

---
base-commit: ae98f5c9fd8ba84cd408b41faa77e65bf1b4cdfa
change-id: 20240813-ieee80211_convert_to_unicast-1ddee968711d

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ