mac80211: add length check in ieee80211_is_robust_mgmt_frame()
A few places weren't checking that the frame passed to the function actually has enough data even though the function clearly documents it must have a payload byte. Make this safer by changing the function to take an skb and checking the length inside. The old version is preserved for now as the rtl* drivers use it and don't have a correct skb. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
Johannes Berg
parent
ae811e21df
commit
d8ca16db6b
8 changed files with 28 additions and 19 deletions
|
|
@ -2192,10 +2192,10 @@ static inline u8 *ieee80211_get_DA(struct ieee80211_hdr *hdr)
|
|||
}
|
||||
|
||||
/**
|
||||
* ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
|
||||
* _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
|
||||
* @hdr: the frame (buffer must include at least the first octet of payload)
|
||||
*/
|
||||
static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
|
||||
static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
|
||||
{
|
||||
if (ieee80211_is_disassoc(hdr->frame_control) ||
|
||||
ieee80211_is_deauth(hdr->frame_control))
|
||||
|
|
@ -2223,6 +2223,17 @@ static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
|
|||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame
|
||||
* @skb: the skb containing the frame, length will be checked
|
||||
*/
|
||||
static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb)
|
||||
{
|
||||
if (skb->len < 25)
|
||||
return false;
|
||||
return _ieee80211_is_robust_mgmt_frame((void *)skb->data);
|
||||
}
|
||||
|
||||
/**
|
||||
* ieee80211_is_public_action - check if frame is a public action frame
|
||||
* @hdr: the frame
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue