mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-11-26 02:19:26 +01:00
frame-xchg: fix incorrect length check
frame_xchg_startv was using sizeof(mmpdu) to check the minimum length for a frame. Instead mmpdu_header_len should be used since this checks fc.order and returns either 24 or 28 bytes, not 28 bytes always. This change adds the requirement that the first iovec in the array must contain at least the first 2 bytes (mmpdu_fc) of the header. This really shouldn't be a problem since all current users of frame-xchg put the entire header (or entire frame) into the first iovec in the array.
This commit is contained in:
parent
6bf5c3ddbd
commit
6c9c65a5de
@ -1092,12 +1092,17 @@ void frame_xchg_startv(uint64_t wdev_id, struct iovec *frame, uint32_t freq,
|
|||||||
size_t frame_len;
|
size_t frame_len;
|
||||||
struct iovec *iov;
|
struct iovec *iov;
|
||||||
uint8_t *ptr;
|
uint8_t *ptr;
|
||||||
struct mmpdu_header *mpdu;
|
|
||||||
|
|
||||||
for (frame_len = 0, iov = frame; iov->iov_base; iov++)
|
for (frame_len = 0, iov = frame; iov->iov_base; iov++)
|
||||||
frame_len += iov->iov_len;
|
frame_len += iov->iov_len;
|
||||||
|
|
||||||
if (frame_len < sizeof(*mpdu)) {
|
/*
|
||||||
|
* This assumes that the first iovec at least contains the mmpdu_fc
|
||||||
|
* portion of the header used to calculate the minimum length.
|
||||||
|
*/
|
||||||
|
if (frame[0].iov_len >= 2 && frame_len <
|
||||||
|
mmpdu_header_len((const struct mmpdu_header *)
|
||||||
|
frame[0].iov_base)) {
|
||||||
l_error("Frame too short");
|
l_error("Frame too short");
|
||||||
cb(-EMSGSIZE, user_data);
|
cb(-EMSGSIZE, user_data);
|
||||||
return;
|
return;
|
||||||
|
Loading…
Reference in New Issue
Block a user