From: Davis Mosenkovs davis@mosenkovs.lv
Commit e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL frames") uses skb_mac_header() before eth_type_trans() is called leading to incorrect pointer, the pointer gets written to. This issue has appeared during backporting to 4.4, 4.9 and 4.14.
Fixes: e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL frames") Link: https://lore.kernel.org/r/CAHQn7pKcyC_jYmGyTcPCdk9xxATwW5QPNph=bsZV8d-HPwNsy... Cc: stable@vger.kernel.org # 4.4.x Signed-off-by: Davis Mosenkovs davis@mosenkovs.lv Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/mac80211/rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2234,7 +2234,7 @@ ieee80211_deliver_skb(struct ieee80211_r #endif
if (skb) { - struct ethhdr *ehdr = (void *)skb_mac_header(skb); + struct ethhdr *ehdr = (struct ethhdr *)skb->data;
/* deliver to local stack */ skb->protocol = eth_type_trans(skb, dev);