d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bounds check each ie's length when parsing

Browse Source 
Obtained from:	madwifi
MFC after:	1 week
This commit is contained in:
Sam Leffler 2006-01-23 19:31:00 +00:00
parent 03001f59c8
commit 336ec6a116
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/net80211/ieee80211_input.c
View File

@ -1769,6 +1769,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
scan.chan = scan.bchan; scan.chan = scan.bchan;
while (frm < efrm) { while (frm < efrm) {
IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
switch (*frm) { switch (*frm) {
case IEEE80211_ELEMID_SSID: case IEEE80211_ELEMID_SSID:
scan.ssid = frm; scan.ssid = frm;
@ -2001,6 +2002,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
*/ */
ssid = rates = xrates = NULL; ssid = rates = xrates = NULL;
while (frm < efrm) { while (frm < efrm) {
IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
switch (*frm) { switch (*frm) {
case IEEE80211_ELEMID_SSID: case IEEE80211_ELEMID_SSID:
ssid = frm; ssid = frm;
@ -2177,6 +2179,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
frm += 6; /* ignore current AP info */ frm += 6; /* ignore current AP info */
ssid = rates = xrates = wpa = wme = NULL; ssid = rates = xrates = wpa = wme = NULL;
while (frm < efrm) { while (frm < efrm) {
IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
switch (*frm) { switch (*frm) {
case IEEE80211_ELEMID_SSID: case IEEE80211_ELEMID_SSID:
ssid = frm; ssid = frm;
@ -2381,6 +2384,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0,
rates = xrates = wpa = wme = NULL; rates = xrates = wpa = wme = NULL;
while (frm < efrm) { while (frm < efrm) {
IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]);
switch (*frm) { switch (*frm) {
case IEEE80211_ELEMID_RATES: case IEEE80211_ELEMID_RATES:
rates = frm; rates = frm;