mac80211: fix action frame length checks The action frame length checks are one too small, there's not just an action code as the comment makes you believe, there's a category code too, and the category code is required in each action frame (hence part of IEEE80211_MIN_ACTION_SIZE). Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>

commit: 9c80d3dc272ec5ce44a7564e5392f950ad38357a [log] [tgz]
author: Johannes Berg <johannes@sipsolutions.net> Mon Sep 08 15:41:59 2008 +0200
committer: John W. Linville <linville@tuxdriver.com> Thu Sep 11 15:53:35 2008 -0400
tree: 43b8e45567c790212581b117e9d06ae5f5fd975b
parent: 5bda617576e58c7213aef5ab90383f303727b5b1 [diff] [blame]
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index eeb0ce2..59fd7fe 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c

@@ -581,6 +581,10 @@
 	size_t baselen;
 	u32 last_hop_metric;
 
+	/* need action_code */
+	if (len < IEEE80211_MIN_ACTION_SIZE + 1)
+		return;
+
 	baselen = (u8 *) mgmt->u.action.u.mesh_action.variable - (u8 *) mgmt;
 	ieee802_11_parse_elems(mgmt->u.action.u.mesh_action.variable,
 			len - baselen, &elems);
commit	9c80d3dc272ec5ce44a7564e5392f950ad38357a	[log] [tgz]
author	Johannes Berg <johannes@sipsolutions.net>	Mon Sep 08 15:41:59 2008 +0200
committer	John W. Linville <linville@tuxdriver.com>	Thu Sep 11 15:53:35 2008 -0400
tree	43b8e45567c790212581b117e9d06ae5f5fd975b
parent	5bda617576e58c7213aef5ab90383f303727b5b1 [diff] [blame]