diff mbox series

[wireless,v2] wifi: mac80211: drop invalid source address OCB frames

Message ID 20250616171838.7433379cab5d.I47444d63c72a0bd58d2e2b67bb99e1fea37eec6f@changeid
State Superseded
Headers show
Series [wireless,v2] wifi: mac80211: drop invalid source address OCB frames | expand

Commit Message

Johannes Berg June 16, 2025, 3:18 p.m. UTC 
From: Johannes Berg <johannes.berg@intel.com>

In OCB, don't accept frames from invalid source addresses
(and in particular don't try to create stations for them),
drop the frames instead.

Reported-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/6788d2d9.050a0220.20d369.0028.GAE@google.com/
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
#syz test
---
 net/mac80211/rx.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

syzbot June 16, 2025, 3:45 p.m. UTC | #1 
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com
Tested-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com

Tested on:

commit:         e04c78d8 Linux 6.16-rc2
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f5ee82580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f72e140c622500d
dashboard link: https://syzkaller.appspot.com/bug?extid=8b512026a7ec10dcbdd9
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14ae15d4580000

Note: testing is done by a robot and is best-effort only.
diff mbox series

Patch

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 09beb65d6108..e73431549ce7 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -4432,6 +4432,10 @@  static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
 		if (!multicast &&
 		    !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
 			return false;
+		/* reject invalid/our STA address */
+		if (!is_valid_ether_addr(hdr->addr2) ||
+		    ether_addr_equal(sdata->dev->dev_addr, hdr->addr2))
+			return false;
 		if (!rx->sta) {
 			int rate_idx;
 			if (status->encoding != RX_ENC_LEGACY)