mac80211: Don’t memset RXCB prior to PAE intercept [Linux 4.19.70]

This Linux kernel change "mac80211: Don’t memset RXCB prior to PAE intercept" is included in the Linux 4.19.70 release. This change is authored by Denis Kenzior <denkenz [at] gmail.com> on Tue Aug 27 17:41:19 2019 -0500. The commit for this change in Linux stable tree is 4f139c0 (patch) which is from upstream commit c8a41c6. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream c8a41c6.

mac80211: Don't memset RXCB prior to PAE intercept

commit c8a41c6afa27b8c3f61622dfd882b912da9d6721 upstream.

In ieee80211_deliver_skb_to_local_stack intercepts EAPoL frames if
mac80211 is configured to do so and forwards the contents over nl80211.
During this process some additional data is also forwarded, including
whether the frame was received encrypted or not.  Unfortunately just
prior to the call to ieee80211_deliver_skb_to_local_stack, skb->cb is
cleared, resulting in incorrect data being exposed over nl80211.

Fixes: 018f6fbf540d ("mac80211: Send control port frames over nl80211")
Cc: stable@vger.kernel.org
Signed-off-by: Denis Kenzior <denkenz@gmail.com>
Link: https://lore.kernel.org/r/20190827224120.14545-2-denkenz@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

There are 4 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/mac80211/rx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 7523d99..348e9dd 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2377,6 +2377,8 @@ static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
        cfg80211_rx_control_port(dev, skb, noencrypt);
        dev_kfree_skb(skb);
    } else {
+       memset(skb->cb, 0, sizeof(skb->cb));
+
        /* deliver to local stack */
        if (rx->napi)
            napi_gro_receive(rx->napi, skb);
@@ -2470,8 +2472,6 @@ static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,

    if (skb) {
        skb->protocol = eth_type_trans(skb, dev);
-       memset(skb->cb, 0, sizeof(skb->cb));
-
        ieee80211_deliver_skb_to_local_stack(skb, rx);
    }

Leave a Reply

Your email address will not be published. Required fields are marked *