From 9c80d3dc272ec5ce44a7564e5392f950ad38357a Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Mon, 8 Sep 2008 15:41:59 +0200 Subject: mac80211: fix action frame length checks The action frame length checks are one too small, there's not just an action code as the comment makes you believe, there's a category code too, and the category code is required in each action frame (hence part of IEEE80211_MIN_ACTION_SIZE). Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/mlme.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'net/mac80211/mlme.c') diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index ae97d7e9945..eb1832aa1fe 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -60,7 +60,7 @@ #define ERP_INFO_USE_PROTECTION BIT(1) -/* mgmt header + 1 byte action code */ +/* mgmt header + 1 byte category code */ #define IEEE80211_MIN_ACTION_SIZE (24 + 1) #define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002 @@ -2988,7 +2988,8 @@ static void ieee80211_rx_mgmt_action(struct ieee80211_sub_if_data *sdata, { struct ieee80211_local *local = sdata->local; - if (len < IEEE80211_MIN_ACTION_SIZE) + /* all categories we currently handle have action_code */ + if (len < IEEE80211_MIN_ACTION_SIZE + 1) return; switch (mgmt->u.action.category) { -- cgit v1.2.3-70-g09d2