mac80211: fix action frame length checks
The action frame length checks are one too small, there's not just an action code as the comment makes you believe, there's a category code too, and the category code is required in each action frame (hence part of IEEE80211_MIN_ACTION_SIZE). Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
5bda617576
commit
9c80d3dc27
3 changed files with 11 additions and 2 deletions
|
@ -581,6 +581,10 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
|
|||
size_t baselen;
|
||||
u32 last_hop_metric;
|
||||
|
||||
/* need action_code */
|
||||
if (len < IEEE80211_MIN_ACTION_SIZE + 1)
|
||||
return;
|
||||
|
||||
baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt;
|
||||
ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
|
||||
len - baselen, &elems);
|
||||
|
|
|
@ -421,6 +421,10 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
|
|||
DECLARE_MAC_BUF(mac);
|
||||
#endif
|
||||
|
||||
/* need action_code, aux */
|
||||
if (len < IEEE80211_MIN_ACTION_SIZE + 3)
|
||||
return;
|
||||
|
||||
if (is_multicast_ether_addr(mgmt->da)) {
|
||||
mpl_dbg("Mesh plink: ignore frame from multicast address");
|
||||
return;
|
||||
|
|
|
@ -60,7 +60,7 @@
|
|||
|
||||
#define ERP_INFO_USE_PROTECTION BIT(1)
|
||||
|
||||
/* mgmt header + 1 byte action code */
|
||||
/* mgmt header + 1 byte category code */
|
||||
#define IEEE80211_MIN_ACTION_SIZE (24 + 1)
|
||||
|
||||
#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
|
||||
|
@ -2988,7 +2988,8 @@ static void ieee80211_rx_mgmt_action(struct ieee80211_sub_if_data *sdata,
|
|||
{
|
||||
struct ieee80211_local *local = sdata->local;
|
||||
|
||||
if (len < IEEE80211_MIN_ACTION_SIZE)
|
||||
/* all categories we currently handle have action_code */
|
||||
if (len < IEEE80211_MIN_ACTION_SIZE + 1)
|
||||
return;
|
||||
|
||||
switch (mgmt->u.action.category) {
|
||||
|
|
Loading…
Reference in a new issue