diff options
| author | iwasaki <iwasaki@FreeBSD.org> | 2012-03-10 17:08:57 +0000 |
|---|---|---|
| committer | iwasaki <iwasaki@FreeBSD.org> | 2012-03-10 17:08:57 +0000 |
| commit | de7ad4a179b444e5497c842c77c7559dc9fccc2c (patch) | |
| tree | ec234af95f11064544d8c7bf518cafecfdf5751b /sys/dev/iwi | |
| parent | eaf47d1cd79c4fde9aba9adc9444cb7f78cbc044 (diff) | |
| download | FreeBSD-src-de7ad4a179b444e5497c842c77c7559dc9fccc2c.zip FreeBSD-src-de7ad4a179b444e5497c842c77c7559dc9fccc2c.tar.gz | |
Fix wrong asresp frame parsing in iwi_checkforqos().
After 8.0-RELEASE, iwi(4) doesn't send any data frames in infrastructure
mode.
Bacause of the condition `while (frm < efrm)', IEEE80211_VERIFY_LENGTH()
was checking item length beyond the ieee80211_frame region, and returned
from iwi_checkforqos() without setting flags, capinfo and associd.
In infrastructure mode associd is required, so this problem causes
discarding mbuf in ieee80211_start().
PR: kern/165819
Tested/Reviewed/Supported by: bschmidt and adrian
MFC after: 1 week
Diffstat (limited to 'sys/dev/iwi')
| -rw-r--r-- | sys/dev/iwi/if_iwi.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/dev/iwi/if_iwi.c b/sys/dev/iwi/if_iwi.c index a7fd9d1..1059728 100644 --- a/sys/dev/iwi/if_iwi.c +++ b/sys/dev/iwi/if_iwi.c @@ -1357,8 +1357,8 @@ iwi_checkforqos(struct ieee80211vap *vap, frm += 2; wme = NULL; - while (frm < efrm) { - IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1], return); + while (efrm - frm > 1) { + IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); switch (*frm) { case IEEE80211_ELEMID_VENDOR: if (iswmeoui(frm)) |
