Date: Thu, 9 Jun 2016 13:42:18 +0000 (UTC) From: Andriy Voskoboinyk <avos@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r301731 - head/sys/net80211 Message-ID: <201606091342.u59DgIAc083518@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: avos Date: Thu Jun 9 13:42:18 2016 New Revision: 301731 URL: https://svnweb.freebsd.org/changeset/base/301731 Log: net80211: discard an injected frame if it is smaller than header length. Do not try to pass such frames; a correct frame cannot be smaller than (the corresponding) header size. (for wpi(4) an additional check was added in r289012). PR: 144987 Modified: head/sys/net80211/ieee80211_output.c Modified: head/sys/net80211/ieee80211_output.c ============================================================================== --- head/sys/net80211/ieee80211_output.c Thu Jun 9 13:36:31 2016 (r301730) +++ head/sys/net80211/ieee80211_output.c Thu Jun 9 13:42:18 2016 (r301731) @@ -608,6 +608,8 @@ ieee80211_output(struct ifnet *ifp, stru if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != IEEE80211_FC0_VERSION_0) senderr(EIO); /* XXX */ + if (m->m_pkthdr.len < ieee80211_anyhdrsize(wh)) + senderr(EIO); /* XXX */ /* locate destination node */ switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { @@ -617,8 +619,6 @@ ieee80211_output(struct ifnet *ifp, stru break; case IEEE80211_FC1_DIR_TODS: case IEEE80211_FC1_DIR_DSTODS: - if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) - senderr(EIO); /* XXX */ ni = ieee80211_find_txnode(vap, wh->i_addr3); break; default:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606091342.u59DgIAc083518>