aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/mac80211/mesh_hwmp.c4
-rw-r--r--net/mac80211/mesh_plink.c4
-rw-r--r--net/mac80211/mlme.c5
3 files changed, 11 insertions, 2 deletions
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index eeb0ce2d5d37..59fd7fe377e0 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -581,6 +581,10 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
581 size_t baselen; 581 size_t baselen;
582 u32 last_hop_metric; 582 u32 last_hop_metric;
583 583
584 /* need action_code */
585 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
586 return;
587
584 baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt; 588 baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt;
585 ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable, 589 ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
586 len - baselen, &elems); 590 len - baselen, &elems);
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index 7714b0e6e4d7..74983cfa7293 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -421,6 +421,10 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
421 DECLARE_MAC_BUF(mac); 421 DECLARE_MAC_BUF(mac);
422#endif 422#endif
423 423
424 /* need action_code, aux */
425 if (len < IEEE80211_MIN_ACTION_SIZE + 3)
426 return;
427
424 if (is_multicast_ether_addr(mgmt->da)) { 428 if (is_multicast_ether_addr(mgmt->da)) {
425 mpl_dbg("Mesh plink: ignore frame from multicast address"); 429 mpl_dbg("Mesh plink: ignore frame from multicast address");
426 return; 430 return;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ae97d7e9945d..eb1832aa1fe5 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -60,7 +60,7 @@
60 60
61#define ERP_INFO_USE_PROTECTION BIT(1) 61#define ERP_INFO_USE_PROTECTION BIT(1)
62 62
63/* mgmt header + 1 byte action code */ 63/* mgmt header + 1 byte category code */
64#define IEEE80211_MIN_ACTION_SIZE (24 + 1) 64#define IEEE80211_MIN_ACTION_SIZE (24 + 1)
65 65
66#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002 66#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
@@ -2988,7 +2988,8 @@ static void ieee80211_rx_mgmt_action(struct ieee80211_sub_if_data *sdata,
2988{ 2988{
2989 struct ieee80211_local *local = sdata->local; 2989 struct ieee80211_local *local = sdata->local;
2990 2990
2991 if (len < IEEE80211_MIN_ACTION_SIZE) 2991 /* all categories we currently handle have action_code */
2992 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2992 return; 2993 return;
2993 2994
2994 switch (mgmt->u.action.category) { 2995 switch (mgmt->u.action.category) {