aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/mac80211/rx.c11
-rw-r--r--net/mac80211/util.c7
2 files changed, 15 insertions, 3 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 9cd59ecbcd6..e65da5780cd 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -61,8 +61,10 @@ static inline int should_drop_frame(struct ieee80211_rx_status *status,
61 return 1; 61 return 1;
62 if (unlikely(skb->len < 16 + present_fcs_len + radiotap_len)) 62 if (unlikely(skb->len < 16 + present_fcs_len + radiotap_len))
63 return 1; 63 return 1;
64 if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FTYPE)) == 64 if (((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FTYPE)) ==
65 cpu_to_le16(IEEE80211_FTYPE_CTL)) 65 cpu_to_le16(IEEE80211_FTYPE_CTL)) &&
66 ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE)) !=
67 cpu_to_le16(IEEE80211_STYPE_PSPOLL)))
66 return 1; 68 return 1;
67 return 0; 69 return 0;
68} 70}
@@ -896,6 +898,7 @@ ieee80211_rx_h_defragment(struct ieee80211_txrx_data *rx)
896static ieee80211_txrx_result 898static ieee80211_txrx_result
897ieee80211_rx_h_ps_poll(struct ieee80211_txrx_data *rx) 899ieee80211_rx_h_ps_poll(struct ieee80211_txrx_data *rx)
898{ 900{
901 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev);
899 struct sk_buff *skb; 902 struct sk_buff *skb;
900 int no_pending_pkts; 903 int no_pending_pkts;
901 DECLARE_MAC_BUF(mac); 904 DECLARE_MAC_BUF(mac);
@@ -906,6 +909,10 @@ ieee80211_rx_h_ps_poll(struct ieee80211_txrx_data *rx)
906 !(rx->flags & IEEE80211_TXRXD_RXRA_MATCH))) 909 !(rx->flags & IEEE80211_TXRXD_RXRA_MATCH)))
907 return TXRX_CONTINUE; 910 return TXRX_CONTINUE;
908 911
912 if ((sdata->type != IEEE80211_IF_TYPE_AP) &&
913 (sdata->type != IEEE80211_IF_TYPE_VLAN))
914 return TXRX_DROP;
915
909 skb = skb_dequeue(&rx->sta->tx_filtered); 916 skb = skb_dequeue(&rx->sta->tx_filtered);
910 if (!skb) { 917 if (!skb) {
911 skb = skb_dequeue(&rx->sta->ps_tx_buf); 918 skb = skb_dequeue(&rx->sta->ps_tx_buf);
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 7b278e9aa1a..fb7fd896cd0 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -135,13 +135,16 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len)
135{ 135{
136 u16 fc; 136 u16 fc;
137 137
138 if (len < 24) 138 /* drop ACK/CTS frames and incorrect hdr len (ctrl) */
139 if (len < 16)
139 return NULL; 140 return NULL;
140 141
141 fc = le16_to_cpu(hdr->frame_control); 142 fc = le16_to_cpu(hdr->frame_control);
142 143
143 switch (fc & IEEE80211_FCTL_FTYPE) { 144 switch (fc & IEEE80211_FCTL_FTYPE) {
144 case IEEE80211_FTYPE_DATA: 145 case IEEE80211_FTYPE_DATA:
146 if (len < 24) /* drop incorrect hdr len (data) */
147 return NULL;
145 switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) { 148 switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) {
146 case IEEE80211_FCTL_TODS: 149 case IEEE80211_FCTL_TODS:
147 return hdr->addr1; 150 return hdr->addr1;
@@ -154,6 +157,8 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len)
154 } 157 }
155 break; 158 break;
156 case IEEE80211_FTYPE_MGMT: 159 case IEEE80211_FTYPE_MGMT:
160 if (len < 24) /* drop incorrect hdr len (mgmt) */
161 return NULL;
157 return hdr->addr3; 162 return hdr->addr3;
158 case IEEE80211_FTYPE_CTL: 163 case IEEE80211_FTYPE_CTL:
159 if ((fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL) 164 if ((fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL)