forge/linux-pinenote
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

mac80211: add missing length check for confirm frames

Browse source 
Although mesh_rx_plink_frame() already checks that frames have enough
bytes for the action code plus another two bytes for capability/reason
code, it doesn't take into account that confirm frames also have an
additional two-byte aid.  As a result, a corrupt frame could cause a
subsequent subtraction to wrap around to ill effect.  Add another
check for this case.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
Bob Copeland 2015-07-14 08:31:56 -04:00 committed by Johannes Berg
parent 2ea752cd2c
commit b3e7de873d
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
net/mac80211/mesh_plink.c
View file

@ -1122,6 +1122,9 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
WLAN_SP_MESH_PEERING_CONFIRM) { WLAN_SP_MESH_PEERING_CONFIRM) {
baseaddr += 4; baseaddr += 4;
baselen += 4; baselen += 4;
if (baselen > len)
return;
} }
ieee802_11_parse_elems(baseaddr, len - baselen, true, &elems); ieee802_11_parse_elems(baseaddr, len - baselen, true, &elems);
mesh_process_plink_frame(sdata, mgmt, &elems); mesh_process_plink_frame(sdata, mgmt, &elems);