diff options
Diffstat (limited to 'net/ieee80211/ieee80211_rx.c')
| -rw-r--r-- | net/ieee80211/ieee80211_rx.c | 56 |
1 files changed, 39 insertions, 17 deletions
diff --git a/net/ieee80211/ieee80211_rx.c b/net/ieee80211/ieee80211_rx.c index 72d4d4e04d42..770704183a1b 100644 --- a/net/ieee80211/ieee80211_rx.c +++ b/net/ieee80211/ieee80211_rx.c | |||
| @@ -779,33 +779,44 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb, | |||
| 779 | return 0; | 779 | return 0; |
| 780 | } | 780 | } |
| 781 | 781 | ||
| 782 | /* Filter out unrelated packets, call ieee80211_rx[_mgt] */ | 782 | /* Filter out unrelated packets, call ieee80211_rx[_mgt] |
| 783 | int ieee80211_rx_any(struct ieee80211_device *ieee, | 783 | * This function takes over the skb, it should not be used again after calling |
| 784 | * this function. */ | ||
| 785 | void ieee80211_rx_any(struct ieee80211_device *ieee, | ||
| 784 | struct sk_buff *skb, struct ieee80211_rx_stats *stats) | 786 | struct sk_buff *skb, struct ieee80211_rx_stats *stats) |
| 785 | { | 787 | { |
| 786 | struct ieee80211_hdr_4addr *hdr; | 788 | struct ieee80211_hdr_4addr *hdr; |
| 787 | int is_packet_for_us; | 789 | int is_packet_for_us; |
| 788 | u16 fc; | 790 | u16 fc; |
| 789 | 791 | ||
| 790 | if (ieee->iw_mode == IW_MODE_MONITOR) | 792 | if (ieee->iw_mode == IW_MODE_MONITOR) { |
| 791 | return ieee80211_rx(ieee, skb, stats) ? 0 : -EINVAL; | 793 | if (!ieee80211_rx(ieee, skb, stats)) |
| 794 | dev_kfree_skb_irq(skb); | ||
| 795 | return; | ||
| 796 | } | ||
| 797 | |||
| 798 | if (skb->len < sizeof(struct ieee80211_hdr)) | ||
| 799 | goto drop_free; | ||
| 792 | 800 | ||
| 793 | hdr = (struct ieee80211_hdr_4addr *)skb->data; | 801 | hdr = (struct ieee80211_hdr_4addr *)skb->data; |
| 794 | fc = le16_to_cpu(hdr->frame_ctl); | 802 | fc = le16_to_cpu(hdr->frame_ctl); |
| 795 | 803 | ||
| 796 | if ((fc & IEEE80211_FCTL_VERS) != 0) | 804 | if ((fc & IEEE80211_FCTL_VERS) != 0) |
| 797 | return -EINVAL; | 805 | goto drop_free; |
| 798 | 806 | ||
| 799 | switch (fc & IEEE80211_FCTL_FTYPE) { | 807 | switch (fc & IEEE80211_FCTL_FTYPE) { |
| 800 | case IEEE80211_FTYPE_MGMT: | 808 | case IEEE80211_FTYPE_MGMT: |
| 809 | if (skb->len < sizeof(struct ieee80211_hdr_3addr)) | ||
| 810 | goto drop_free; | ||
| 801 | ieee80211_rx_mgt(ieee, hdr, stats); | 811 | ieee80211_rx_mgt(ieee, hdr, stats); |
| 802 | return 0; | 812 | dev_kfree_skb_irq(skb); |
| 813 | return; | ||
| 803 | case IEEE80211_FTYPE_DATA: | 814 | case IEEE80211_FTYPE_DATA: |
| 804 | break; | 815 | break; |
| 805 | case IEEE80211_FTYPE_CTL: | 816 | case IEEE80211_FTYPE_CTL: |
| 806 | return 0; | 817 | return; |
| 807 | default: | 818 | default: |
| 808 | return -EINVAL; | 819 | return; |
| 809 | } | 820 | } |
| 810 | 821 | ||
| 811 | is_packet_for_us = 0; | 822 | is_packet_for_us = 0; |
| @@ -849,8 +860,14 @@ int ieee80211_rx_any(struct ieee80211_device *ieee, | |||
| 849 | } | 860 | } |
| 850 | 861 | ||
| 851 | if (is_packet_for_us) | 862 | if (is_packet_for_us) |
| 852 | return (ieee80211_rx(ieee, skb, stats) ? 0 : -EINVAL); | 863 | if (!ieee80211_rx(ieee, skb, stats)) |
| 853 | return 0; | 864 | dev_kfree_skb_irq(skb); |
| 865 | return; | ||
| 866 | |||
| 867 | drop_free: | ||
| 868 | dev_kfree_skb_irq(skb); | ||
| 869 | ieee->stats.rx_dropped++; | ||
| 870 | return; | ||
| 854 | } | 871 | } |
| 855 | 872 | ||
| 856 | #define MGMT_FRAME_FIXED_PART_LENGTH 0x24 | 873 | #define MGMT_FRAME_FIXED_PART_LENGTH 0x24 |
| @@ -1061,13 +1078,16 @@ static int ieee80211_parse_info_param(struct ieee80211_info_element | |||
| 1061 | 1078 | ||
| 1062 | while (length >= sizeof(*info_element)) { | 1079 | while (length >= sizeof(*info_element)) { |
| 1063 | if (sizeof(*info_element) + info_element->len > length) { | 1080 | if (sizeof(*info_element) + info_element->len > length) { |
| 1064 | IEEE80211_DEBUG_MGMT("Info elem: parse failed: " | 1081 | IEEE80211_ERROR("Info elem: parse failed: " |
| 1065 | "info_element->len + 2 > left : " | 1082 | "info_element->len + 2 > left : " |
| 1066 | "info_element->len+2=%zd left=%d, id=%d.\n", | 1083 | "info_element->len+2=%zd left=%d, id=%d.\n", |
| 1067 | info_element->len + | 1084 | info_element->len + |
| 1068 | sizeof(*info_element), | 1085 | sizeof(*info_element), |
| 1069 | length, info_element->id); | 1086 | length, info_element->id); |
| 1070 | return 1; | 1087 | /* We stop processing but don't return an error here |
| 1088 | * because some misbehaviour APs break this rule. ie. | ||
| 1089 | * Orinoco AP1000. */ | ||
| 1090 | break; | ||
| 1071 | } | 1091 | } |
| 1072 | 1092 | ||
| 1073 | switch (info_element->id) { | 1093 | switch (info_element->id) { |
| @@ -1166,6 +1186,7 @@ static int ieee80211_parse_info_param(struct ieee80211_info_element | |||
| 1166 | 1186 | ||
| 1167 | case MFIE_TYPE_ERP_INFO: | 1187 | case MFIE_TYPE_ERP_INFO: |
| 1168 | network->erp_value = info_element->data[0]; | 1188 | network->erp_value = info_element->data[0]; |
| 1189 | network->flags |= NETWORK_HAS_ERP_VALUE; | ||
| 1169 | IEEE80211_DEBUG_MGMT("MFIE_TYPE_ERP_SET: %d\n", | 1190 | IEEE80211_DEBUG_MGMT("MFIE_TYPE_ERP_SET: %d\n", |
| 1170 | network->erp_value); | 1191 | network->erp_value); |
| 1171 | break; | 1192 | break; |
| @@ -1729,5 +1750,6 @@ void ieee80211_rx_mgt(struct ieee80211_device *ieee, | |||
| 1729 | } | 1750 | } |
| 1730 | } | 1751 | } |
| 1731 | 1752 | ||
| 1753 | EXPORT_SYMBOL_GPL(ieee80211_rx_any); | ||
| 1732 | EXPORT_SYMBOL(ieee80211_rx_mgt); | 1754 | EXPORT_SYMBOL(ieee80211_rx_mgt); |
| 1733 | EXPORT_SYMBOL(ieee80211_rx); | 1755 | EXPORT_SYMBOL(ieee80211_rx); |