net80211: discard an injected frame if it is smaller than header length.

Do not try to pass such frames; a correct frame cannot be smaller than (the corresponding) header size. (for wpi(4) an additional check was added in r289012). PR: 144987
author: avos <avos@FreeBSD.org> 2016-06-09 13:42:18 +0000
committer: avos <avos@FreeBSD.org> 2016-06-09 13:42:18 +0000
commit: e5d79957a91dedf943729182545c1828d823049b (patch)
tree: 470ede811ac34485db81eec0e7d5779de920ec4b /sys/net80211
parent: 602a4b61b34e5cb89c9e6344010dbf4b8db5f72a (diff)
download: FreeBSD-src-e5d79957a91dedf943729182545c1828d823049b.zip
FreeBSD-src-e5d79957a91dedf943729182545c1828d823049b.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net80211/ieee80211_output.c b/sys/net80211/ieee80211_output.c
index 221abc2..5a6cce6 100644
--- a/sys/net80211/ieee80211_output.c
+++ b/sys/net80211/ieee80211_output.c
@@ -608,6 +608,8 @@ ieee80211_output(struct ifnet *ifp, struct mbuf *m,
 	if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
 	    IEEE80211_FC0_VERSION_0)
 		senderr(EIO);	/* XXX */
+	if (m->m_pkthdr.len < ieee80211_anyhdrsize(wh))
+		senderr(EIO);	/* XXX */
 
 	/* locate destination node */
 	switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
@@ -617,8 +619,6 @@ ieee80211_output(struct ifnet *ifp, struct mbuf *m,
 		break;
 	case IEEE80211_FC1_DIR_TODS:
 	case IEEE80211_FC1_DIR_DSTODS:
-		if (m->m_pkthdr.len < sizeof(struct ieee80211_frame))
-			senderr(EIO);	/* XXX */
 		ni = ieee80211_find_txnode(vap, wh->i_addr3);
 		break;
 	default:
author	avos <avos@FreeBSD.org>	2016-06-09 13:42:18 +0000
committer	avos <avos@FreeBSD.org>	2016-06-09 13:42:18 +0000
commit	e5d79957a91dedf943729182545c1828d823049b (patch)
tree	470ede811ac34485db81eec0e7d5779de920ec4b /sys/net80211
parent	602a4b61b34e5cb89c9e6344010dbf4b8db5f72a (diff)
download	FreeBSD-src-e5d79957a91dedf943729182545c1828d823049b.zip FreeBSD-src-e5d79957a91dedf943729182545c1828d823049b.tar.gz