ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1885

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	net/ieee80211/ieee80211_tx.c
Line in file:	402
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-11 08:47:26 UTC
Source:

  1/******************************************************************************
  2
  3  Copyright(c) 2003 - 2005 Intel Corporation. All rights reserved.
  4
  5  This program is free software; you can redistribute it and/or modify it
  6  under the terms of version 2 of the GNU General Public License as
  7  published by the Free Software Foundation.
  8
  9  This program is distributed in the hope that it will be useful, but WITHOUT
 10  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 11  FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
 12  more details.
 13
 14  You should have received a copy of the GNU General Public License along with
 15  this program; if not, write to the Free Software Foundation, Inc., 59
 16  Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 17
 18  The full GNU General Public License is included in this distribution in the
 19  file called LICENSE.
 20
 21  Contact Information:
 22  James P. Ketrenos <ipw2100-admin@linux.intel.com>
 23  Intel Corporation, 5200 N.E. Elam Young Parkway, Hillsboro, OR 97124-6497
 24
 25******************************************************************************/
 26#include <linux/compiler.h>
 27#include <linux/errno.h>
 28#include <linux/if_arp.h>
 29#include <linux/in6.h>
 30#include <linux/in.h>
 31#include <linux/ip.h>
 32#include <linux/kernel.h>
 33#include <linux/module.h>
 34#include <linux/netdevice.h>
 35#include <linux/proc_fs.h>
 36#include <linux/skbuff.h>
 37#include <linux/slab.h>
 38#include <linux/tcp.h>
 39#include <linux/types.h>
 40#include <linux/wireless.h>
 41#include <linux/etherdevice.h>
 42#include <asm/uaccess.h>
 43
 44#include <net/ieee80211.h>
 45
 46/*
 47
 48802.11 Data Frame
 49
 50      ,-------------------------------------------------------------------.
 51Bytes |  2   |  2   |    6    |    6    |    6    |  2   | 0..2312 |   4  |
 52      |------|------|---------|---------|---------|------|---------|------|
 53Desc. | ctrl | dura |  DA/RA  |   TA    |    SA   | Sequ |  Frame  |  fcs |
 54      |      | tion | (BSSID) |         |         | ence |  data   |      |
 55      `--------------------------------------------------|         |------'
 56Total: 28 non-data bytes                                 `----.----'
 57                                                              |
 58       .- 'Frame data' expands, if WEP enabled, to <----------'
 59       |
 60       V
 61      ,-----------------------.
 62Bytes |  4  |   0-2296  |  4  |
 63      |-----|-----------|-----|
 64Desc. | IV  | Encrypted | ICV |
 65      |     | Packet    |     |
 66      `-----|           |-----'
 67            `-----.-----'
 68                  |
 69       .- 'Encrypted Packet' expands to
 70       |
 71       V
 72      ,---------------------------------------------------.
 73Bytes |  1   |  1   |    1    |    3     |  2   |  0-2304 |
 74      |------|------|---------|----------|------|---------|
 75Desc. | SNAP | SNAP | Control |Eth Tunnel| Type | IP      |
 76      | DSAP | SSAP |         |          |      | Packet  |
 77      | 0xAA | 0xAA |0x03 (UI)|0x00-00-F8|      |         |
 78      `----------------------------------------------------
 79Total: 8 non-data bytes
 80
 81802.3 Ethernet Data Frame
 82
 83      ,-----------------------------------------.
 84Bytes |   6   |   6   |  2   |  Variable |   4  |
 85      |-------|-------|------|-----------|------|
 86Desc. | Dest. | Source| Type | IP Packet |  fcs |
 87      |  MAC  |  MAC  |      |           |      |
 88      `-----------------------------------------'
 89Total: 18 non-data bytes
 90
 91In the event that fragmentation is required, the incoming payload is split into
 92N parts of size ieee->fts.  The first fragment contains the SNAP header and the
 93remaining packets are just data.
 94
 95If encryption is enabled, each fragment payload size is reduced by enough space
 96to add the prefix and postfix (IV and ICV totalling 8 bytes in the case of WEP)
 97So if you have 1500 bytes of payload with ieee->fts set to 500 without
 98encryption it will take 3 frames.  With WEP it will take 4 frames as the
 99payload of each frame is reduced to 492 bytes.
100
101* SKB visualization
102*
103*  ,- skb->data
104* |
105* |    ETHERNET HEADER        ,-<-- PAYLOAD
106* |                           |     14 bytes from skb->data
107* |  2 bytes for Type --> ,T. |     (sizeof ethhdr)
108* |                       | | |
109* |,-Dest.--. ,--Src.---. | | |
110* |  6 bytes| | 6 bytes | | | |
111* v         | |         | | | |
112* 0         | v       1 | v | v           2
113* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
114*     ^     | ^         | ^ |
115*     |     | |         | | |
116*     |     | |         | `T' <---- 2 bytes for Type
117*     |     | |         |
118*     |     | '---SNAP--' <-------- 6 bytes for SNAP
119*     |     |
120*     `-IV--' <-------------------- 4 bytes for IV (WEP)
121*
122*      SNAP HEADER
123*
124*/
125
126static u8 P802_1H_OUI[P80211_OUI_LEN] = { 0x00, 0x00, 0xf8 };
127static u8 RFC1042_OUI[P80211_OUI_LEN] = { 0x00, 0x00, 0x00 };
128
129static int ieee80211_copy_snap(u8 * data, __be16 h_proto)
130{
131        struct ieee80211_snap_hdr *snap;
132        u8 *oui;
133
134        snap = (struct ieee80211_snap_hdr *)data;
135        snap->dsap = 0xaa;
136        snap->ssap = 0xaa;
137        snap->ctrl = 0x03;
138
139        if (h_proto == htons(ETH_P_AARP) || h_proto == htons(ETH_P_IPX))
140                oui = P802_1H_OUI;
141        else
142                oui = RFC1042_OUI;
143        snap->oui[0] = oui[0];
144        snap->oui[1] = oui[1];
145        snap->oui[2] = oui[2];
146
147        memcpy(data + SNAP_SIZE, &h_proto, sizeof(u16));
148
149        return SNAP_SIZE + sizeof(u16);
150}
151
152static int ieee80211_encrypt_fragment(struct ieee80211_device *ieee,
153                                             struct sk_buff *frag, int hdr_len)
154{
155        struct ieee80211_crypt_data *crypt = ieee->crypt[ieee->tx_keyidx];
156        int res;
157
158        if (crypt == NULL)
159                return -1;
160
161        /* To encrypt, frame format is:
162         * IV (4 bytes), clear payload (including SNAP), ICV (4 bytes) */
163        atomic_inc(&crypt->refcnt);
164        res = 0;
165        if (crypt->ops && crypt->ops->encrypt_mpdu)
166                res = crypt->ops->encrypt_mpdu(frag, hdr_len, crypt->priv);
167
168        atomic_dec(&crypt->refcnt);
169        if (res < 0) {
170                printk(KERN_INFO "%s: Encryption failed: len=%d.\n",
171                       ieee->dev->name, frag->len);
172                ieee->ieee_stats.tx_discards++;
173                return -1;
174        }
175
176        return 0;
177}
178
179void ieee80211_txb_free(struct ieee80211_txb *txb)
180{
181        int i;
182        if (unlikely(!txb))
183                return;
184        for (i = 0; i < txb->nr_frags; i++)
185                if (txb->fragments[i])
186                        dev_kfree_skb_any(txb->fragments[i]);
187        kfree(txb);
188}
189
190static struct ieee80211_txb *ieee80211_alloc_txb(int nr_frags, int txb_size,
191                                                 int headroom, gfp_t gfp_mask)
192{
193        struct ieee80211_txb *txb;
194        int i;
195        txb = kmalloc(sizeof(struct ieee80211_txb) + (sizeof(u8 *) * nr_frags),
196                      gfp_mask);
197        if (!txb)
198                return NULL;
199
200        memset(txb, 0, sizeof(struct ieee80211_txb));
201        txb->nr_frags = nr_frags;
202        txb->frag_size = txb_size;
203
204        for (i = 0; i < nr_frags; i++) {
205                txb->fragments[i] = __dev_alloc_skb(txb_size + headroom,
206                                                    gfp_mask);
207                if (unlikely(!txb->fragments[i])) {
208                        i--;
209                        break;
210                }
211                skb_reserve(txb->fragments[i], headroom);
212        }
213        if (unlikely(i != nr_frags)) {
214                while (i >= 0)
215                        dev_kfree_skb_any(txb->fragments[i--]);
216                kfree(txb);
217                return NULL;
218        }
219        return txb;
220}
221
222static int ieee80211_classify(struct sk_buff *skb)
223{
224        struct ethhdr *eth;
225        struct iphdr *ip;
226
227        eth = (struct ethhdr *)skb->data;
228        if (eth->h_proto != htons(ETH_P_IP))
229                return 0;
230
231        ip = ip_hdr(skb);
232        switch (ip->tos & 0xfc) {
233        case 0x20:
234                return 2;
235        case 0x40:
236                return 1;
237        case 0x60:
238                return 3;
239        case 0x80:
240                return 4;
241        case 0xa0:
242                return 5;
243        case 0xc0:
244                return 6;
245        case 0xe0:
246                return 7;
247        default:
248                return 0;
249        }
250}
251
252/* Incoming skb is converted to a txb which consists of
253 * a block of 802.11 fragment packets (stored as skbs) */
254int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
255{
256        struct ieee80211_device *ieee = netdev_priv(dev);
257        struct ieee80211_txb *txb = NULL;
258        struct ieee80211_hdr_3addrqos *frag_hdr;
259        int i, bytes_per_frag, nr_frags, bytes_last_frag, frag_size,
260            rts_required;
261        unsigned long flags;
262        struct net_device_stats *stats = &ieee->stats;
263        int encrypt, host_encrypt, host_encrypt_msdu, host_build_iv;
264        __be16 ether_type;
265        int bytes, fc, hdr_len;
266        struct sk_buff *skb_frag;
267        struct ieee80211_hdr_3addrqos header = {/* Ensure zero initialized */
268                .duration_id = 0,
269                .seq_ctl = 0,
270                .qos_ctl = 0
271        };
272        u8 dest[ETH_ALEN], src[ETH_ALEN];
273        struct ieee80211_crypt_data *crypt;
274        int priority = skb->priority;
275        int snapped = 0;
276
277        if (ieee->is_queue_full && (*ieee->is_queue_full) (dev, priority))
278                return NETDEV_TX_BUSY;
279
280        spin_lock_irqsave(&ieee->lock, flags);
281
282        /* If there is no driver handler to take the TXB, dont' bother
283         * creating it... */
284        if (!ieee->hard_start_xmit) {
285                printk(KERN_WARNING "%s: No xmit handler.\n", ieee->dev->name);
286                goto success;
287        }
288
289        if (unlikely(skb->len < SNAP_SIZE + sizeof(u16))) {
290                printk(KERN_WARNING "%s: skb too small (%d).\n",
291                       ieee->dev->name, skb->len);
292                goto success;
293        }
294
295        ether_type = ((struct ethhdr *)skb->data)->h_proto;
296
297        crypt = ieee->crypt[ieee->tx_keyidx];
298
299        encrypt = !(ether_type == htons(ETH_P_PAE) && ieee->ieee802_1x) &&
300            ieee->sec.encrypt;
301
302        host_encrypt = ieee->host_encrypt && encrypt && crypt;
303        host_encrypt_msdu = ieee->host_encrypt_msdu && encrypt && crypt;
304        host_build_iv = ieee->host_build_iv && encrypt && crypt;
305
306        if (!encrypt && ieee->ieee802_1x &&
307            ieee->drop_unencrypted && ether_type != htons(ETH_P_PAE)) {
308                stats->tx_dropped++;
309                goto success;
310        }
311
312        /* Save source and destination addresses */
313        skb_copy_from_linear_data(skb, dest, ETH_ALEN);
314        skb_copy_from_linear_data_offset(skb, ETH_ALEN, src, ETH_ALEN);
315
316        if (host_encrypt || host_build_iv)
317                fc = IEEE80211_FTYPE_DATA | IEEE80211_STYPE_DATA |
318                    IEEE80211_FCTL_PROTECTED;
319        else
320                fc = IEEE80211_FTYPE_DATA | IEEE80211_STYPE_DATA;
321
322        if (ieee->iw_mode == IW_MODE_INFRA) {
323                fc |= IEEE80211_FCTL_TODS;
324                /* To DS: Addr1 = BSSID, Addr2 = SA, Addr3 = DA */
325                memcpy(header.addr1, ieee->bssid, ETH_ALEN);
326                memcpy(header.addr2, src, ETH_ALEN);
327                memcpy(header.addr3, dest, ETH_ALEN);
328        } else if (ieee->iw_mode == IW_MODE_ADHOC) {
329                /* not From/To DS: Addr1 = DA, Addr2 = SA, Addr3 = BSSID */
330                memcpy(header.addr1, dest, ETH_ALEN);
331                memcpy(header.addr2, src, ETH_ALEN);
332                memcpy(header.addr3, ieee->bssid, ETH_ALEN);
333        }
334        hdr_len = IEEE80211_3ADDR_LEN;
335
336        if (ieee->is_qos_active && ieee->is_qos_active(dev, skb)) {
337                fc |= IEEE80211_STYPE_QOS_DATA;
338                hdr_len += 2;
339
340                skb->priority = ieee80211_classify(skb);
341                header.qos_ctl |= cpu_to_le16(skb->priority & IEEE80211_QCTL_TID);
342        }
343        header.frame_ctl = cpu_to_le16(fc);
344
345        /* Advance the SKB to the start of the payload */
346        skb_pull(skb, sizeof(struct ethhdr));
347
348        /* Determine total amount of storage required for TXB packets */
349        bytes = skb->len + SNAP_SIZE + sizeof(u16);
350
351        /* Encrypt msdu first on the whole data packet. */
352        if ((host_encrypt || host_encrypt_msdu) &&
353            crypt && crypt->ops && crypt->ops->encrypt_msdu) {
354                int res = 0;
355                int len = bytes + hdr_len + crypt->ops->extra_msdu_prefix_len +
356                    crypt->ops->extra_msdu_postfix_len;
357                struct sk_buff *skb_new = dev_alloc_skb(len);
358
359                if (unlikely(!skb_new))
360                        goto failed;
361
362                skb_reserve(skb_new, crypt->ops->extra_msdu_prefix_len);
363                memcpy(skb_put(skb_new, hdr_len), &header, hdr_len);
364                snapped = 1;
365                ieee80211_copy_snap(skb_put(skb_new, SNAP_SIZE + sizeof(u16)),
366                                    ether_type);
367                skb_copy_from_linear_data(skb, skb_put(skb_new, skb->len), skb->len);
368                res = crypt->ops->encrypt_msdu(skb_new, hdr_len, crypt->priv);
369                if (res < 0) {
370                        IEEE80211_ERROR("msdu encryption failed\n");
371                        dev_kfree_skb_any(skb_new);
372                        goto failed;
373                }
374                dev_kfree_skb_any(skb);
375                skb = skb_new;
376                bytes += crypt->ops->extra_msdu_prefix_len +
377                    crypt->ops->extra_msdu_postfix_len;
378                skb_pull(skb, hdr_len);
379        }
380
381        if (host_encrypt || ieee->host_open_frag) {
382                /* Determine fragmentation size based on destination (multicast
383                 * and broadcast are not fragmented) */
384                if (is_multicast_ether_addr(dest) ||
385                    is_broadcast_ether_addr(dest))
386                        frag_size = MAX_FRAG_THRESHOLD;
387                else
388                        frag_size = ieee->fts;
389
390                /* Determine amount of payload per fragment.  Regardless of if
391                 * this stack is providing the full 802.11 header, one will
392                 * eventually be affixed to this fragment -- so we must account
393                 * for it when determining the amount of payload space. */
394                bytes_per_frag = frag_size - hdr_len;
395                if (ieee->config &
396                    (CFG_IEEE80211_COMPUTE_FCS | CFG_IEEE80211_RESERVE_FCS))
397                        bytes_per_frag -= IEEE80211_FCS_LEN;
398
399                /* Each fragment may need to have room for encryptiong
400                 * pre/postfix */
401                if (host_encrypt)
402                        bytes_per_frag -= crypt->ops->extra_mpdu_prefix_len +
403                            crypt->ops->extra_mpdu_postfix_len;
404
405                /* Number of fragments is the total
406                 * bytes_per_frag / payload_per_fragment */
407                nr_frags = bytes / bytes_per_frag;
408                bytes_last_frag = bytes % bytes_per_frag;
409                if (bytes_last_frag)
410                        nr_frags++;
411                else
412                        bytes_last_frag = bytes_per_frag;
413        } else {
414                nr_frags = 1;
415                bytes_per_frag = bytes_last_frag = bytes;
416                frag_size = bytes + hdr_len;
417        }
418
419        rts_required = (frag_size > ieee->rts
420                        && ieee->config & CFG_IEEE80211_RTS);
421        if (rts_required)
422                nr_frags++;
423
424        /* When we allocate the TXB we allocate enough space for the reserve
425         * and full fragment bytes (bytes_per_frag doesn't include prefix,
426         * postfix, header, FCS, etc.) */
427        txb = ieee80211_alloc_txb(nr_frags, frag_size,
428                                  ieee->tx_headroom, GFP_ATOMIC);
429        if (unlikely(!txb)) {
430                printk(KERN_WARNING "%s: Could not allocate TXB\n",
431                       ieee->dev->name);
432                goto failed;
433        }
434        txb->encrypted = encrypt;
435        if (host_encrypt)
436                txb->payload_size = frag_size * (nr_frags - 1) +
437                    bytes_last_frag;
438        else
439                txb->payload_size = bytes;
440
441        if (rts_required) {
442                skb_frag = txb->fragments[0];
443                frag_hdr =
444                    (struct ieee80211_hdr_3addrqos *)skb_put(skb_frag, hdr_len);
445
446                /*
447                 * Set header frame_ctl to the RTS.
448                 */
449                header.frame_ctl =
450                    cpu_to_le16(IEEE80211_FTYPE_CTL | IEEE80211_STYPE_RTS);
451                memcpy(frag_hdr, &header, hdr_len);
452
453                /*
454                 * Restore header frame_ctl to the original data setting.
455                 */
456                header.frame_ctl = cpu_to_le16(fc);
457
458                if (ieee->config &
459                    (CFG_IEEE80211_COMPUTE_FCS | CFG_IEEE80211_RESERVE_FCS))
460                        skb_put(skb_frag, 4);
461
462                txb->rts_included = 1;
463                i = 1;
464        } else
465                i = 0;
466
467        for (; i < nr_frags; i++) {
468                skb_frag = txb->fragments[i];
469
470                if (host_encrypt || host_build_iv)
471                        skb_reserve(skb_frag,
472                                    crypt->ops->extra_mpdu_prefix_len);
473
474                frag_hdr =
475                    (struct ieee80211_hdr_3addrqos *)skb_put(skb_frag, hdr_len);
476                memcpy(frag_hdr, &header, hdr_len);
477
478                /* If this is not the last fragment, then add the MOREFRAGS
479                 * bit to the frame control */
480                if (i != nr_frags - 1) {
481                        frag_hdr->frame_ctl =
482                            cpu_to_le16(fc | IEEE80211_FCTL_MOREFRAGS);
483                        bytes = bytes_per_frag;
484                } else {
485                        /* The last fragment takes the remaining length */
486                        bytes = bytes_last_frag;
487                }
488
489                if (i == 0 && !snapped) {
490                        ieee80211_copy_snap(skb_put
491                                            (skb_frag, SNAP_SIZE + sizeof(u16)),
492                                            ether_type);
493                        bytes -= SNAP_SIZE + sizeof(u16);
494                }
495
496                skb_copy_from_linear_data(skb, skb_put(skb_frag, bytes), bytes);
497
498                /* Advance the SKB... */
499                skb_pull(skb, bytes);
500
501                /* Encryption routine will move the header forward in order
502                 * to insert the IV between the header and the payload */
503                if (host_encrypt)
504                        ieee80211_encrypt_fragment(ieee, skb_frag, hdr_len);
505                else if (host_build_iv) {
506                        atomic_inc(&crypt->refcnt);
507                        if (crypt->ops->build_iv)
508                                crypt->ops->build_iv(skb_frag, hdr_len,
509                                      ieee->sec.keys[ieee->sec.active_key],
510                                      ieee->sec.key_sizes[ieee->sec.active_key],
511                                      crypt->priv);
512                        atomic_dec(&crypt->refcnt);
513                }
514
515                if (ieee->config &
516                    (CFG_IEEE80211_COMPUTE_FCS | CFG_IEEE80211_RESERVE_FCS))
517                        skb_put(skb_frag, 4);
518        }
519
520      success:
521        spin_unlock_irqrestore(&ieee->lock, flags);
522
523        dev_kfree_skb_any(skb);
524
525        if (txb) {
526                int ret = (*ieee->hard_start_xmit) (txb, dev, priority);
527                if (ret == 0) {
528                        stats->tx_packets++;
529                        stats->tx_bytes += txb->payload_size;
530                        return 0;
531                }
532
533                ieee80211_txb_free(txb);
534        }
535
536        return 0;
537
538      failed:
539        spin_unlock_irqrestore(&ieee->lock, flags);
540        netif_stop_queue(dev);
541        stats->tx_errors++;
542        return 1;
543}
544
545EXPORT_SYMBOL(ieee80211_txb_free);