diff options
-rw-r--r-- | net/mac80211/rx.c | 11 | ||||
-rw-r--r-- | net/mac80211/util.c | 7 |
2 files changed, 15 insertions, 3 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 9cd59ecbcd67..e65da5780cd3 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c | |||
@@ -61,8 +61,10 @@ static inline int should_drop_frame(struct ieee80211_rx_status *status, | |||
61 | return 1; | 61 | return 1; |
62 | if (unlikely(skb->len < 16 + present_fcs_len + radiotap_len)) | 62 | if (unlikely(skb->len < 16 + present_fcs_len + radiotap_len)) |
63 | return 1; | 63 | return 1; |
64 | if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FTYPE)) == | 64 | if (((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FTYPE)) == |
65 | cpu_to_le16(IEEE80211_FTYPE_CTL)) | 65 | cpu_to_le16(IEEE80211_FTYPE_CTL)) && |
66 | ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE)) != | ||
67 | cpu_to_le16(IEEE80211_STYPE_PSPOLL))) | ||
66 | return 1; | 68 | return 1; |
67 | return 0; | 69 | return 0; |
68 | } | 70 | } |
@@ -896,6 +898,7 @@ ieee80211_rx_h_defragment(struct ieee80211_txrx_data *rx) | |||
896 | static ieee80211_txrx_result | 898 | static ieee80211_txrx_result |
897 | ieee80211_rx_h_ps_poll(struct ieee80211_txrx_data *rx) | 899 | ieee80211_rx_h_ps_poll(struct ieee80211_txrx_data *rx) |
898 | { | 900 | { |
901 | struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev); | ||
899 | struct sk_buff *skb; | 902 | struct sk_buff *skb; |
900 | int no_pending_pkts; | 903 | int no_pending_pkts; |
901 | DECLARE_MAC_BUF(mac); | 904 | DECLARE_MAC_BUF(mac); |
@@ -906,6 +909,10 @@ ieee80211_rx_h_ps_poll(struct ieee80211_txrx_data *rx) | |||
906 | !(rx->flags & IEEE80211_TXRXD_RXRA_MATCH))) | 909 | !(rx->flags & IEEE80211_TXRXD_RXRA_MATCH))) |
907 | return TXRX_CONTINUE; | 910 | return TXRX_CONTINUE; |
908 | 911 | ||
912 | if ((sdata->type != IEEE80211_IF_TYPE_AP) && | ||
913 | (sdata->type != IEEE80211_IF_TYPE_VLAN)) | ||
914 | return TXRX_DROP; | ||
915 | |||
909 | skb = skb_dequeue(&rx->sta->tx_filtered); | 916 | skb = skb_dequeue(&rx->sta->tx_filtered); |
910 | if (!skb) { | 917 | if (!skb) { |
911 | skb = skb_dequeue(&rx->sta->ps_tx_buf); | 918 | skb = skb_dequeue(&rx->sta->ps_tx_buf); |
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 7b278e9aa1a4..fb7fd896cd0d 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c | |||
@@ -135,13 +135,16 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len) | |||
135 | { | 135 | { |
136 | u16 fc; | 136 | u16 fc; |
137 | 137 | ||
138 | if (len < 24) | 138 | /* drop ACK/CTS frames and incorrect hdr len (ctrl) */ |
139 | if (len < 16) | ||
139 | return NULL; | 140 | return NULL; |
140 | 141 | ||
141 | fc = le16_to_cpu(hdr->frame_control); | 142 | fc = le16_to_cpu(hdr->frame_control); |
142 | 143 | ||
143 | switch (fc & IEEE80211_FCTL_FTYPE) { | 144 | switch (fc & IEEE80211_FCTL_FTYPE) { |
144 | case IEEE80211_FTYPE_DATA: | 145 | case IEEE80211_FTYPE_DATA: |
146 | if (len < 24) /* drop incorrect hdr len (data) */ | ||
147 | return NULL; | ||
145 | switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) { | 148 | switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) { |
146 | case IEEE80211_FCTL_TODS: | 149 | case IEEE80211_FCTL_TODS: |
147 | return hdr->addr1; | 150 | return hdr->addr1; |
@@ -154,6 +157,8 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len) | |||
154 | } | 157 | } |
155 | break; | 158 | break; |
156 | case IEEE80211_FTYPE_MGMT: | 159 | case IEEE80211_FTYPE_MGMT: |
160 | if (len < 24) /* drop incorrect hdr len (mgmt) */ | ||
161 | return NULL; | ||
157 | return hdr->addr3; | 162 | return hdr->addr3; |
158 | case IEEE80211_FTYPE_CTL: | 163 | case IEEE80211_FTYPE_CTL: |
159 | if ((fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL) | 164 | if ((fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL) |