aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211/util.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/mac80211/util.c')
-rw-r--r--net/mac80211/util.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 7b278e9aa1a4..fb7fd896cd0d 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -135,13 +135,16 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len)
135{ 135{
136 u16 fc; 136 u16 fc;
137 137
138 if (len < 24) 138 /* drop ACK/CTS frames and incorrect hdr len (ctrl) */
139 if (len < 16)
139 return NULL; 140 return NULL;
140 141
141 fc = le16_to_cpu(hdr->frame_control); 142 fc = le16_to_cpu(hdr->frame_control);
142 143
143 switch (fc & IEEE80211_FCTL_FTYPE) { 144 switch (fc & IEEE80211_FCTL_FTYPE) {
144 case IEEE80211_FTYPE_DATA: 145 case IEEE80211_FTYPE_DATA:
146 if (len < 24) /* drop incorrect hdr len (data) */
147 return NULL;
145 switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) { 148 switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) {
146 case IEEE80211_FCTL_TODS: 149 case IEEE80211_FCTL_TODS:
147 return hdr->addr1; 150 return hdr->addr1;
@@ -154,6 +157,8 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len)
154 } 157 }
155 break; 158 break;
156 case IEEE80211_FTYPE_MGMT: 159 case IEEE80211_FTYPE_MGMT:
160 if (len < 24) /* drop incorrect hdr len (mgmt) */
161 return NULL;
157 return hdr->addr3; 162 return hdr->addr3;
158 case IEEE80211_FTYPE_CTL: 163 case IEEE80211_FTYPE_CTL:
159 if ((fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL) 164 if ((fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL)