From 6c9c65a5deadfd8985dfa08f3d663a0b323873e1 Mon Sep 17 00:00:00 2001 From: James Prestwood Date: Mon, 22 Jun 2020 08:25:16 -0700 Subject: [PATCH] frame-xchg: fix incorrect length check frame_xchg_startv was using sizeof(mmpdu) to check the minimum length for a frame. Instead mmpdu_header_len should be used since this checks fc.order and returns either 24 or 28 bytes, not 28 bytes always. This change adds the requirement that the first iovec in the array must contain at least the first 2 bytes (mmpdu_fc) of the header. This really shouldn't be a problem since all current users of frame-xchg put the entire header (or entire frame) into the first iovec in the array. --- src/frame-xchg.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/frame-xchg.c b/src/frame-xchg.c index 7e516d0a..61399561 100644 --- a/src/frame-xchg.c +++ b/src/frame-xchg.c @@ -1092,12 +1092,17 @@ void frame_xchg_startv(uint64_t wdev_id, struct iovec *frame, uint32_t freq, size_t frame_len; struct iovec *iov; uint8_t *ptr; - struct mmpdu_header *mpdu; for (frame_len = 0, iov = frame; iov->iov_base; iov++) frame_len += iov->iov_len; - if (frame_len < sizeof(*mpdu)) { + /* + * This assumes that the first iovec at least contains the mmpdu_fc + * portion of the header used to calculate the minimum length. + */ + if (frame[0].iov_len >= 2 && frame_len < + mmpdu_header_len((const struct mmpdu_header *) + frame[0].iov_base)) { l_error("Frame too short"); cb(-EMSGSIZE, user_data); return;