3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-26 02:19:26 +01:00

frame-xchg: fix incorrect length check

frame_xchg_startv was using sizeof(mmpdu) to check the minimum length
for a frame. Instead mmpdu_header_len should be used since this checks
fc.order and returns either 24 or 28 bytes, not 28 bytes always.

This change adds the requirement that the first iovec in the array
must contain at least the first 2 bytes (mmpdu_fc) of the header.
This really shouldn't be a problem since all current users of
frame-xchg put the entire header (or entire frame) into the first
iovec in the array.
This commit is contained in:
James Prestwood 2020-06-22 08:25:16 -07:00 committed by Denis Kenzior
parent 6bf5c3ddbd
commit 6c9c65a5de

View File

@ -1092,12 +1092,17 @@ void frame_xchg_startv(uint64_t wdev_id, struct iovec *frame, uint32_t freq,
size_t frame_len; size_t frame_len;
struct iovec *iov; struct iovec *iov;
uint8_t *ptr; uint8_t *ptr;
struct mmpdu_header *mpdu;
for (frame_len = 0, iov = frame; iov->iov_base; iov++) for (frame_len = 0, iov = frame; iov->iov_base; iov++)
frame_len += iov->iov_len; frame_len += iov->iov_len;
if (frame_len < sizeof(*mpdu)) { /*
* This assumes that the first iovec at least contains the mmpdu_fc
* portion of the header used to calculate the minimum length.
*/
if (frame[0].iov_len >= 2 && frame_len <
mmpdu_header_len((const struct mmpdu_header *)
frame[0].iov_base)) {
l_error("Frame too short"); l_error("Frame too short");
cb(-EMSGSIZE, user_data); cb(-EMSGSIZE, user_data);
return; return;