diff options
author | sam <sam@FreeBSD.org> | 2008-09-06 17:38:20 +0000 |
---|---|---|
committer | sam <sam@FreeBSD.org> | 2008-09-06 17:38:20 +0000 |
commit | 9db405bfbdab2b180d27334b75882b51ad26aff3 (patch) | |
tree | 3761df2c9d5a3063caa17e45ecd45c6bb0bd291d /sys/net80211/ieee80211_ht.c | |
parent | 7923b9382d951cbc40e17ebeea2a8f7f290be639 (diff) | |
download | FreeBSD-src-9db405bfbdab2b180d27334b75882b51ad26aff3.zip FreeBSD-src-9db405bfbdab2b180d27334b75882b51ad26aff3.tar.gz |
o validate the ba policy in addba response
o leave a check for the max ba window disabled; we accept out of range
values and just truncate them but may want to act differently in the future
Diffstat (limited to 'sys/net80211/ieee80211_ht.c')
-rw-r--r-- | sys/net80211/ieee80211_ht.c | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/sys/net80211/ieee80211_ht.c b/sys/net80211/ieee80211_ht.c index 364ed24..9ab7086 100644 --- a/sys/net80211/ieee80211_ht.c +++ b/sys/net80211/ieee80211_ht.c @@ -1402,7 +1402,7 @@ ieee80211_aggr_recv_action(struct ieee80211_node *ni, const struct ieee80211_action *ia; struct ieee80211_rx_ampdu *rap; struct ieee80211_tx_ampdu *tap; - uint8_t dialogtoken; + uint8_t dialogtoken, policy; uint16_t baparamset, batimeout, baseqctl, code; uint16_t args[4]; int tid, ac, bufsiz; @@ -1470,6 +1470,7 @@ ieee80211_aggr_recv_action(struct ieee80211_node *ni, baparamset = LE_READ_2(frm+5); tid = MS(baparamset, IEEE80211_BAPS_TID); bufsiz = MS(baparamset, IEEE80211_BAPS_BUFSIZ); + policy = MS(baparamset, IEEE80211_BAPS_POLICY); batimeout = LE_READ_2(frm+7); ac = TID_TO_WME_AC(tid); @@ -1493,6 +1494,31 @@ ieee80211_aggr_recv_action(struct ieee80211_node *ni, vap->iv_stats.is_addba_badtoken++; return; } + /* NB: assumes IEEE80211_AGGR_IMMEDIATE is 1 */ + if (policy != (tap->txa_flags & IEEE80211_AGGR_IMMEDIATE)) { + IEEE80211_DISCARD_MAC(vap, + IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, + ni->ni_macaddr, "ADDBA response", + "policy mismatch: expecting %s, " + "received %s, tid %d code %d", + tap->txa_flags & IEEE80211_AGGR_IMMEDIATE, + policy, tid, code); + vap->iv_stats.is_addba_badpolicy++; + return; + } +#if 0 + /* XXX we take MIN in ieee80211_addba_response */ + if (bufsiz > IEEE80211_AGGR_BAWMAX) { + IEEE80211_DISCARD_MAC(vap, + IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, + ni->ni_macaddr, "ADDBA response", + "BA window too large: max %d, " + "received %d, tid %d code %d", + bufsiz, IEEE80211_AGGR_BAWMAX, tid, code); + vap->iv_stats.is_addba_badbawinsize++; + return; + } +#endif IEEE80211_NOTE(vap, IEEE80211_MSG_ACTION | IEEE80211_MSG_11N, ni, |