diff options
author | sam <sam@FreeBSD.org> | 2006-07-16 16:02:17 +0000 |
---|---|---|
committer | sam <sam@FreeBSD.org> | 2006-07-16 16:02:17 +0000 |
commit | a8a04e1beeb3458e74091f147afa70f052762d69 (patch) | |
tree | 88ed8ddb92fd2e13a994fa82fa491c76e803483c /sys/net80211 | |
parent | 7841889a36f38eb91594ec6be24d7575d57b69e8 (diff) | |
download | FreeBSD-src-a8a04e1beeb3458e74091f147afa70f052762d69.zip FreeBSD-src-a8a04e1beeb3458e74091f147afa70f052762d69.tar.gz |
tighten invariant on loops used to parse ie's; this ensures we never
touch data outside the packet (previously we might touch 1 byte); it
also has the happy side effect of working around broken orinoco/agere
firmware that sends malformed association response frames
Help by: Vladimir Egorin
Diffstat (limited to 'sys/net80211')
-rw-r--r-- | sys/net80211/ieee80211_input.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c index e6a9676..c1c5d97 100644 --- a/sys/net80211/ieee80211_input.c +++ b/sys/net80211/ieee80211_input.c @@ -1818,7 +1818,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, scan.bchan = ieee80211_chan2ieee(ic, ic->ic_curchan); scan.chan = scan.bchan; - while (frm < efrm) { + while (efrm - frm > 1) { IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]); switch (*frm) { case IEEE80211_ELEMID_SSID: @@ -2065,7 +2065,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, * [tlv] extended supported rates */ ssid = rates = xrates = NULL; - while (frm < efrm) { + while (efrm - frm > 1) { IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]); switch (*frm) { case IEEE80211_ELEMID_SSID: @@ -2242,7 +2242,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, if (reassoc) frm += 6; /* ignore current AP info */ ssid = rates = xrates = wpa = wme = NULL; - while (frm < efrm) { + while (efrm - frm > 1) { IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]); switch (*frm) { case IEEE80211_ELEMID_SSID: @@ -2448,7 +2448,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, frm += 2; rates = xrates = wpa = wme = NULL; - while (frm < efrm) { + while (efrm - frm > 1) { IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]); switch (*frm) { case IEEE80211_ELEMID_RATES: |