aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211/mlme.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2008-09-08 09:41:59 -0400
committerJohn W. Linville <linville@tuxdriver.com>2008-09-11 15:53:35 -0400
commit9c80d3dc272ec5ce44a7564e5392f950ad38357a (patch)
tree43b8e45567c790212581b117e9d06ae5f5fd975b /net/mac80211/mlme.c
parent5bda617576e58c7213aef5ab90383f303727b5b1 (diff)
mac80211: fix action frame length checks
The action frame length checks are one too small, there's not just an action code as the comment makes you believe, there's a category code too, and the category code is required in each action frame (hence part of IEEE80211_MIN_ACTION_SIZE). Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211/mlme.c')
-rw-r--r--net/mac80211/mlme.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ae97d7e9945d..eb1832aa1fe5 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -60,7 +60,7 @@
60 60
61#define ERP_INFO_USE_PROTECTION BIT(1) 61#define ERP_INFO_USE_PROTECTION BIT(1)
62 62
63/* mgmt header + 1 byte action code */ 63/* mgmt header + 1 byte category code */
64#define IEEE80211_MIN_ACTION_SIZE (24 + 1) 64#define IEEE80211_MIN_ACTION_SIZE (24 + 1)
65 65
66#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002 66#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
@@ -2988,7 +2988,8 @@ static void ieee80211_rx_mgmt_action(struct ieee80211_sub_if_data *sdata,
2988{ 2988{
2989 struct ieee80211_local *local = sdata->local; 2989 struct ieee80211_local *local = sdata->local;
2990 2990
2991 if (len < IEEE80211_MIN_ACTION_SIZE) 2991 /* all categories we currently handle have action_code */
2992 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2992 return; 2993 return;
2993 2994
2994 switch (mgmt->u.action.category) { 2995 switch (mgmt->u.action.category) {