d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix wrong asresp frame parsing in iwi_checkforqos().

Browse Source 
After 8.0-RELEASE, iwi(4) doesn't send any data frames in infrastructure
mode.

Bacause of the condition `while (frm < efrm)', IEEE80211_VERIFY_LENGTH()
was checking item length beyond the ieee80211_frame region, and returned
from iwi_checkforqos() without setting flags, capinfo and associd.

In infrastructure mode associd is required, so this problem causes
discarding mbuf in ieee80211_start().

PR:	kern/165819
Tested/Reviewed/Supported by: bschmidt and adrian
MFC after:	1 week
This commit is contained in:
Mitsuru IWASAKI 2012-03-10 17:08:57 +00:00
parent 08cdfdf1de
commit 7199b6f7ee
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=232785
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/dev/iwi/if_iwi.c
View File

@ -1357,8 +1357,8 @@ iwi_checkforqos(struct ieee80211vap *vap,
frm += 2;
wme = NULL;
while (frm < efrm) {
IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1], return);
while (efrm - frm > 1) {
IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
switch (*frm) {
case IEEE80211_ELEMID_VENDOR:
if (iswmeoui(frm))