On May 28, 2010, at 1:34 PM, Johannes Berg wrote:
> One thing I ask myself though is do we ever check that the frame is long
> enough? In the patch below I will by checking the skb_copy_bits() return
> value, but without that we don't, as far as I can tell?
Good point.
> --- wireless-testing.orig/net/mac80211/rx.c 2010-05-28 22:25:07.000000000 +0200
> +++ wireless-testing/net/mac80211/rx.c 2010-05-28 22:33:30.000000000 +0200
> @@ -1819,17 +1819,26 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_
> return RX_CONTINUE;
>
> if (ieee80211_is_back_req(bar->frame_control)) {
> + struct {
> + __le16 control, start_seq_num;
> + } __packed bar_data;
> +
> + if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
> + &bar_data, sizeof(bar_data)))
> + return RX_DROP_MONITOR;
> +
> if (!rx->sta)
> return RX_DROP_MONITOR;
Maybe invert the order of these two exit conditions? Figure most CPUs will speculate anyway, but the second check seems a more efficient short-circuit.
Dan--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
