mac80211: explicitly check skb->len
ieee80211_get_hdrlen_from_skb internally checks the skb is long enough to hold the full ieee80211_hdr, else it returns zero. Use ieee80211_hdrlen which always returns the hdrlen and check the remaining room in the skb explicitly when removing encryption headers or the qos control field. Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
798ee9850e
commit
62bf1d762e
|
@ -1244,9 +1244,10 @@ static void ieee80211_remove_tx_extra(struct ieee80211_local *local,
|
||||||
struct ieee80211_key *key,
|
struct ieee80211_key *key,
|
||||||
struct sk_buff *skb)
|
struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
int hdrlen, iv_len, mic_len;
|
unsigned int hdrlen, iv_len, mic_len;
|
||||||
|
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
|
||||||
|
|
||||||
hdrlen = ieee80211_get_hdrlen_from_skb(skb);
|
hdrlen = ieee80211_hdrlen(hdr->frame_control);
|
||||||
|
|
||||||
if (!key)
|
if (!key)
|
||||||
goto no_key;
|
goto no_key;
|
||||||
|
@ -1268,24 +1269,20 @@ static void ieee80211_remove_tx_extra(struct ieee80211_local *local,
|
||||||
goto no_key;
|
goto no_key;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (skb->len >= mic_len &&
|
if (skb->len >= hdrlen + mic_len &&
|
||||||
!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE))
|
!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE))
|
||||||
skb_trim(skb, skb->len - mic_len);
|
skb_trim(skb, skb->len - mic_len);
|
||||||
if (skb->len >= iv_len && skb->len > hdrlen) {
|
if (skb->len >= hdrlen + iv_len) {
|
||||||
memmove(skb->data + iv_len, skb->data, hdrlen);
|
memmove(skb->data + iv_len, skb->data, hdrlen);
|
||||||
skb_pull(skb, iv_len);
|
hdr = (struct ieee80211_hdr *)skb_pull(skb, iv_len);
|
||||||
}
|
}
|
||||||
|
|
||||||
no_key:
|
no_key:
|
||||||
{
|
if (ieee80211_is_data_qos(hdr->frame_control)) {
|
||||||
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
|
hdr->frame_control &= ~cpu_to_le16(IEEE80211_STYPE_QOS_DATA);
|
||||||
u16 fc = le16_to_cpu(hdr->frame_control);
|
memmove(skb->data + IEEE80211_QOS_CTL_LEN, skb->data,
|
||||||
if ((fc & 0x8C) == 0x88) /* QoS Control Field */ {
|
hdrlen - IEEE80211_QOS_CTL_LEN);
|
||||||
fc &= ~IEEE80211_STYPE_QOS_DATA;
|
skb_pull(skb, IEEE80211_QOS_CTL_LEN);
|
||||||
hdr->frame_control = cpu_to_le16(fc);
|
|
||||||
memmove(skb->data + 2, skb->data, hdrlen - 2);
|
|
||||||
skb_pull(skb, 2);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Reference in New Issue