diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2008-09-08 15:41:59 +0200 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2008-09-11 21:53:35 +0200 |
commit | 9c80d3dc272ec5ce44a7564e5392f950ad38357a (patch) | |
tree | 43b8e45567c790212581b117e9d06ae5f5fd975b /net/mac80211/mesh_hwmp.c | |
parent | mac80211: BSS info: check channel first (diff) | |
download | linux-9c80d3dc272ec5ce44a7564e5392f950ad38357a.tar.xz linux-9c80d3dc272ec5ce44a7564e5392f950ad38357a.zip |
mac80211: fix action frame length checks
The action frame length checks are one too small, there's not just
an action code as the comment makes you believe, there's a category
code too, and the category code is required in each action frame
(hence part of IEEE80211_MIN_ACTION_SIZE).
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211/mesh_hwmp.c')
-rw-r--r-- | net/mac80211/mesh_hwmp.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c index eeb0ce2d5d37..59fd7fe377e0 100644 --- a/net/mac80211/mesh_hwmp.c +++ b/net/mac80211/mesh_hwmp.c @@ -581,6 +581,10 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata, size_t baselen; u32 last_hop_metric; + /* need action_code */ + if (len < IEEE80211_MIN_ACTION_SIZE + 1) + return; + baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt; ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable, len - baselen, &elems); |