wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (80fda1cd) · Commits · git / linux-nf

drivers/net/wireless/mediatek/mt76/mt7996/mac.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -647,6 +647,14 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, enum mt76_rxq_id q,
		status->last_amsdu = amsdu_info == MT_RXD4_LAST_AMSDU_FRAME;
		}

		/* IEEE 802.11 fragmentation can only be applied to unicast frames.
		* Hence, drop fragments with multicast/broadcast RA.
		* This check fixes vulnerabilities, like CVE-2020-26145.
		*/
		if ((ieee80211_has_morefrags(fc) \|\| seq_ctrl & IEEE80211_SCTL_FRAG) &&
		FIELD_GET(MT_RXD3_NORMAL_ADDR_TYPE, rxd3) != MT_RXD3_NORMAL_U2M)
		return -EINVAL;

		hdr_gap = (u8 )rxd - skb->data + 2 remove_pad;
		if (hdr_trans && ieee80211_has_morefrags(fc)) {
		if (mt7996_reverse_frag0_hdr_trans(skb, hdr_gap))