netdev: iov_ie_append: Support iovecs with multiple IEs

iov_ie_append assumed that a single IE was being added and thus the length of the IE could be extracted directly from the element. However, iov_ie_append was used on buffers which could contain multiple IEs concatenated together, for example in handshake_state::vendor_ies. Most of the time this was safe since vendor_ies was NULL or contained a single element, but would result in incorrect behavior in the general case. Fix that by changing iov_ie_append signature to take an explicit length argument and have the caller specify whether the element is a single IE or multiple. Fixes: 7e9971661b ("netdev: Append any vendor IEs from the handshake")
2024-11-22 06:29:23 +01:00 · 2023-11-30 15:05:14 -06:00 · 2023-11-30 15:05:14 -06:00 · fda946e070
commit fda946e070
parent ba0d35ff38
1 changed files with 19 additions and 13 deletions
--- a/src/netdev.c
+++ b/src/netdev.c
@ -209,7 +209,7 @@ static bool mac_per_ssid;
 static unsigned int iov_ie_append(struct iovec *iov,
 					unsigned int n_iov, unsigned int c,
-					const uint8_t *ie)
+					const uint8_t *ie, size_t len)
 {
 	if (L_WARN_ON(c >= n_iov))
 		return n_iov;
@ -218,7 +218,7 @@ static unsigned int iov_ie_append(struct iovec *iov,
 		return c;
 	iov[c].iov_base = (void *) ie;
-	iov[c].iov_len = ie[1] + 2;
+	iov[c].iov_len = len;
 	return c + 1u;
 }
@ -286,19 +286,22 @@ static unsigned int netdev_populate_common_ies(struct netdev *netdev,
 	extended_capabilities = wiphy_get_extended_capabilities(netdev->wiphy,
 								netdev->type);
-	c_iov = iov_ie_append(iov, n_iov, c_iov, extended_capabilities);
+	c_iov = iov_ie_append(iov, n_iov, c_iov, extended_capabilities,
 				IE_LEN(extended_capabilities));
 	rm_enabled_capabilities =
 		wiphy_get_rm_enabled_capabilities(netdev->wiphy);
-	c_iov = iov_ie_append(iov, n_iov, c_iov, rm_enabled_capabilities);
+	c_iov = iov_ie_append(iov, n_iov, c_iov, rm_enabled_capabilities,
 				IE_LEN(rm_enabled_capabilities));
 	if (rm_enabled_capabilities)
 		l_genl_msg_append_attr(msg, NL80211_ATTR_USE_RRM, 0, NULL);
-	c_iov = iov_ie_append(iov, n_iov, c_iov, hs->vendor_ies);
+	c_iov = iov_ie_append(iov, n_iov, c_iov,
 				hs->vendor_ies, hs->vendor_ies_len);
-	if (hs->fils_ip_req_ie)
+	c_iov = iov_ie_append(iov, n_iov, c_iov, hs->fils_ip_req_ie,
-		c_iov = iov_ie_append(iov, n_iov, c_iov, hs->fils_ip_req_ie);
+				IE_LEN(hs->fils_ip_req_ie));
 	return c_iov;
 }
@ -2502,7 +2505,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
 	if (is_rsn) {
 		nl80211_append_rsn_attributes(msg, hs);
-		c_iov = iov_ie_append(iov, n_iov, c_iov, hs->supplicant_ie);
+		c_iov = iov_ie_append(iov, n_iov, c_iov, hs->supplicant_ie,
 					IE_LEN(hs->supplicant_ie));
 	}
 	if (is_rsn || hs->settings_8021x) {
@ -2517,10 +2521,10 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
 	if (netdev->owe_sm) {
 		owe_build_dh_ie(netdev->owe_sm, owe_dh_ie, &dh_ie_len);
-		c_iov = iov_ie_append(iov, n_iov, c_iov, owe_dh_ie);
+		c_iov = iov_ie_append(iov, n_iov, c_iov, owe_dh_ie, dh_ie_len);
 	}
-	c_iov = iov_ie_append(iov, n_iov, c_iov, hs->mde);
+	c_iov = iov_ie_append(iov, n_iov, c_iov, hs->mde, IE_LEN(hs->mde));
 	c_iov = netdev_populate_common_ies(netdev, hs, msg, iov, n_iov, c_iov);
 	mpdu_sort_ies(subtype, iov, c_iov);
@ -3267,9 +3271,11 @@ static void netdev_sae_tx_associate(void *user_data)
 	msg = netdev_build_cmd_associate_common(netdev);
-	n_used = iov_ie_append(iov, n_iov, n_used, hs->supplicant_ie);
+	n_used = iov_ie_append(iov, n_iov, n_used, hs->supplicant_ie,
-	n_used = iov_ie_append(iov, n_iov, n_used, hs->mde);
+						IE_LEN(hs->supplicant_ie));
-	n_used = iov_ie_append(iov, n_iov, n_used, hs->supplicant_rsnxe);
+	n_used = iov_ie_append(iov, n_iov, n_used, hs->mde, IE_LEN(hs->mde));
 	n_used = iov_ie_append(iov, n_iov, n_used, hs->supplicant_rsnxe,
 					IE_LEN(hs->supplicant_rsnxe));
 	n_used = netdev_populate_common_ies(netdev, hs, msg,
 							iov, n_iov, n_used);
 	mpdu_sort_ies(subtype, iov, n_used);