diff options
| author | Johannes Berg <johannes@sipsolutions.net> | 2008-09-08 09:41:59 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2008-09-11 15:53:35 -0400 |
| commit | 9c80d3dc272ec5ce44a7564e5392f950ad38357a (patch) | |
| tree | 43b8e45567c790212581b117e9d06ae5f5fd975b /net | |
| parent | 5bda617576e58c7213aef5ab90383f303727b5b1 (diff) | |
mac80211: fix action frame length checks
The action frame length checks are one too small, there's not just
an action code as the comment makes you believe, there's a category
code too, and the category code is required in each action frame
(hence part of IEEE80211_MIN_ACTION_SIZE).
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/mac80211/mesh_hwmp.c | 4 | ||||
| -rw-r--r-- | net/mac80211/mesh_plink.c | 4 | ||||
| -rw-r--r-- | net/mac80211/mlme.c | 5 |
3 files changed, 11 insertions, 2 deletions
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c index eeb0ce2d5d37..59fd7fe377e0 100644 --- a/net/mac80211/mesh_hwmp.c +++ b/net/mac80211/mesh_hwmp.c | |||
| @@ -581,6 +581,10 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata, | |||
| 581 | size_t baselen; | 581 | size_t baselen; |
| 582 | u32 last_hop_metric; | 582 | u32 last_hop_metric; |
| 583 | 583 | ||
| 584 | /* need action_code */ | ||
| 585 | if (len < IEEE80211_MIN_ACTION_SIZE + 1) | ||
| 586 | return; | ||
| 587 | |||
| 584 | baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt; | 588 | baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt; |
| 585 | ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable, | 589 | ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable, |
| 586 | len - baselen, &elems); | 590 | len - baselen, &elems); |
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c index 7714b0e6e4d7..74983cfa7293 100644 --- a/net/mac80211/mesh_plink.c +++ b/net/mac80211/mesh_plink.c | |||
| @@ -421,6 +421,10 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m | |||
| 421 | DECLARE_MAC_BUF(mac); | 421 | DECLARE_MAC_BUF(mac); |
| 422 | #endif | 422 | #endif |
| 423 | 423 | ||
| 424 | /* need action_code, aux */ | ||
| 425 | if (len < IEEE80211_MIN_ACTION_SIZE + 3) | ||
| 426 | return; | ||
| 427 | |||
| 424 | if (is_multicast_ether_addr(mgmt->da)) { | 428 | if (is_multicast_ether_addr(mgmt->da)) { |
| 425 | mpl_dbg("Mesh plink: ignore frame from multicast address"); | 429 | mpl_dbg("Mesh plink: ignore frame from multicast address"); |
| 426 | return; | 430 | return; |
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index ae97d7e9945d..eb1832aa1fe5 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c | |||
| @@ -60,7 +60,7 @@ | |||
| 60 | 60 | ||
| 61 | #define ERP_INFO_USE_PROTECTION BIT(1) | 61 | #define ERP_INFO_USE_PROTECTION BIT(1) |
| 62 | 62 | ||
| 63 | /* mgmt header + 1 byte action code */ | 63 | /* mgmt header + 1 byte category code */ |
| 64 | #define IEEE80211_MIN_ACTION_SIZE (24 + 1) | 64 | #define IEEE80211_MIN_ACTION_SIZE (24 + 1) |
| 65 | 65 | ||
| 66 | #define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002 | 66 | #define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002 |
| @@ -2988,7 +2988,8 @@ static void ieee80211_rx_mgmt_action(struct ieee80211_sub_if_data *sdata, | |||
| 2988 | { | 2988 | { |
| 2989 | struct ieee80211_local *local = sdata->local; | 2989 | struct ieee80211_local *local = sdata->local; |
| 2990 | 2990 | ||
| 2991 | if (len < IEEE80211_MIN_ACTION_SIZE) | 2991 | /* all categories we currently handle have action_code */ |
| 2992 | if (len < IEEE80211_MIN_ACTION_SIZE + 1) | ||
| 2992 | return; | 2993 | return; |
| 2993 | 2994 | ||
| 2994 | switch (mgmt->u.action.category) { | 2995 | switch (mgmt->u.action.category) { |