diff options
author | avos <avos@FreeBSD.org> | 2016-06-09 13:42:18 +0000 |
---|---|---|
committer | avos <avos@FreeBSD.org> | 2016-06-09 13:42:18 +0000 |
commit | e5d79957a91dedf943729182545c1828d823049b (patch) | |
tree | 470ede811ac34485db81eec0e7d5779de920ec4b | |
parent | 602a4b61b34e5cb89c9e6344010dbf4b8db5f72a (diff) | |
download | FreeBSD-src-e5d79957a91dedf943729182545c1828d823049b.zip FreeBSD-src-e5d79957a91dedf943729182545c1828d823049b.tar.gz |
net80211: discard an injected frame if it is smaller than header length.
Do not try to pass such frames; a correct frame cannot be smaller than
(the corresponding) header size.
(for wpi(4) an additional check was added in r289012).
PR: 144987
-rw-r--r-- | sys/net80211/ieee80211_output.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net80211/ieee80211_output.c b/sys/net80211/ieee80211_output.c index 221abc2..5a6cce6 100644 --- a/sys/net80211/ieee80211_output.c +++ b/sys/net80211/ieee80211_output.c @@ -608,6 +608,8 @@ ieee80211_output(struct ifnet *ifp, struct mbuf *m, if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != IEEE80211_FC0_VERSION_0) senderr(EIO); /* XXX */ + if (m->m_pkthdr.len < ieee80211_anyhdrsize(wh)) + senderr(EIO); /* XXX */ /* locate destination node */ switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { @@ -617,8 +619,6 @@ ieee80211_output(struct ifnet *ifp, struct mbuf *m, break; case IEEE80211_FC1_DIR_TODS: case IEEE80211_FC1_DIR_DSTODS: - if (m->m_pkthdr.len < sizeof(struct ieee80211_frame)) - senderr(EIO); /* XXX */ ni = ieee80211_find_txnode(vap, wh->i_addr3); break; default: |