mac80211: add missing length check for confirm frames
Although mesh_rx_plink_frame() already checks that frames have enough bytes for the action code plus another two bytes for capability/reason code, it doesn't take into account that confirm frames also have an additional two-byte aid. As a result, a corrupt frame could cause a subsequent subtraction to wrap around to ill effect. Add another check for this case. Signed-off-by: Bob Copeland <me@bobcopeland.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
parent
2ea752cd2c
commit
b3e7de873d
@ -1122,6 +1122,9 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
|
||||
WLAN_SP_MESH_PEERING_CONFIRM) {
|
||||
baseaddr += 4;
|
||||
baselen += 4;
|
||||
|
||||
if (baselen > len)
|
||||
return;
|
||||
}
|
||||
ieee802_11_parse_elems(baseaddr, len - baselen, true, &elems);
|
||||
mesh_process_plink_frame(sdata, mgmt, &elems);
|
||||
|
Loading…
Reference in New Issue
Block a user