[PATCH 4/3] mac80211: fix action frame length checks

Johannes Berg <johannes@xxxxxxxxxxxxxxxx> · Mon, 08 Sep 2008 15:41:59 +0200

The action frame length checks are one too small, there's not just
an action code as the comment makes you believe, there's a category
code too, and the category code is required in each action frame
(hence part of IEEE80211_MIN_ACTION_SIZE).

Signed-off-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
---
 net/mac80211/mesh_hwmp.c  |    4 ++++
 net/mac80211/mesh_plink.c |    4 ++++
 net/mac80211/mlme.c       |    5 +++--
 3 files changed, 11 insertions(+), 2 deletions(-)

--- everything.orig/net/mac80211/mesh_hwmp.c	2008-09-08 15:37:12.000000000 +0200
+++ everything/net/mac80211/mesh_hwmp.c	2008-09-08 15:37:25.000000000 +0200
@@ -581,6 +581,10 @@ void mesh_rx_path_sel_frame(struct ieee8
 	size_t baselen;
 	u32 last_hop_metric;
 
+	/* need action_code */
+	if (len < IEEE80211_MIN_ACTION_SIZE + 1)
+		return;
+
 	baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt;
 	ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
 			len - baselen, &elems);
--- everything.orig/net/mac80211/mesh_plink.c	2008-09-08 15:37:12.000000000 +0200
+++ everything/net/mac80211/mesh_plink.c	2008-09-08 15:37:25.000000000 +0200
@@ -421,6 +421,10 @@ void mesh_rx_plink_frame(struct ieee8021
 	DECLARE_MAC_BUF(mac);
 #endif
 
+	/* need action_code, aux */
+	if (len < IEEE80211_MIN_ACTION_SIZE + 3)
+		return;
+
 	if (is_multicast_ether_addr(mgmt->da)) {
 		mpl_dbg("Mesh plink: ignore frame from multicast address");
 		return;
--- everything.orig/net/mac80211/mlme.c	2008-09-08 15:37:17.000000000 +0200
+++ everything/net/mac80211/mlme.c	2008-09-08 15:37:25.000000000 +0200
@@ -60,7 +60,7 @@
 
 #define ERP_INFO_USE_PROTECTION BIT(1)
 
-/* mgmt header + 1 byte action code */
+/* mgmt header + 1 byte category code */
 #define IEEE80211_MIN_ACTION_SIZE (24 + 1)
 
 #define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
@@ -2989,7 +2989,8 @@ static void ieee80211_rx_mgmt_action(str
 {
 	struct ieee80211_local *local = sdata->local;
 
-	if (len < IEEE80211_MIN_ACTION_SIZE)
+	/* all categories we currently handle have action_code */
+	if (len < IEEE80211_MIN_ACTION_SIZE + 1)
 		return;
 
 	switch (mgmt->u.action.category) {


--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




