diff options
Diffstat (limited to 'net/mac80211/util.c')
-rw-r--r-- | net/mac80211/util.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 7b278e9aa1a4..fb7fd896cd0d 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c | |||
@@ -135,13 +135,16 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len) | |||
135 | { | 135 | { |
136 | u16 fc; | 136 | u16 fc; |
137 | 137 | ||
138 | if (len < 24) | 138 | /* drop ACK/CTS frames and incorrect hdr len (ctrl) */ |
139 | if (len < 16) | ||
139 | return NULL; | 140 | return NULL; |
140 | 141 | ||
141 | fc = le16_to_cpu(hdr->frame_control); | 142 | fc = le16_to_cpu(hdr->frame_control); |
142 | 143 | ||
143 | switch (fc & IEEE80211_FCTL_FTYPE) { | 144 | switch (fc & IEEE80211_FCTL_FTYPE) { |
144 | case IEEE80211_FTYPE_DATA: | 145 | case IEEE80211_FTYPE_DATA: |
146 | if (len < 24) /* drop incorrect hdr len (data) */ | ||
147 | return NULL; | ||
145 | switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) { | 148 | switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) { |
146 | case IEEE80211_FCTL_TODS: | 149 | case IEEE80211_FCTL_TODS: |
147 | return hdr->addr1; | 150 | return hdr->addr1; |
@@ -154,6 +157,8 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len) | |||
154 | } | 157 | } |
155 | break; | 158 | break; |
156 | case IEEE80211_FTYPE_MGMT: | 159 | case IEEE80211_FTYPE_MGMT: |
160 | if (len < 24) /* drop incorrect hdr len (mgmt) */ | ||
161 | return NULL; | ||
157 | return hdr->addr3; | 162 | return hdr->addr3; |
158 | case IEEE80211_FTYPE_CTL: | 163 | case IEEE80211_FTYPE_CTL: |
159 | if ((fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL) | 164 | if ((fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL) |