From 2d0e301063db285d84a7eb4db66731551fd7e8ce Mon Sep 17 00:00:00 2001
From: adrian <adrian@FreeBSD.org>
Date: Thu, 8 Oct 2015 07:22:40 +0000
Subject: [PATCH] wpi(4): check size before transmitting frames

In addition to https://bz-attachments.freebsd.org/attachment.cgi?id=156112;
fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=144987.

Tested:

* Tested with Intel 3945BG, STA mode

Submitted by:	<s3erios@gmail.com>
Differential Revision:	https://reviews.freebsd.org/D3762
---
 sys/dev/wpi/if_wpi.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/dev/wpi/if_wpi.c b/sys/dev/wpi/if_wpi.c
index 9df98fa81ecc..a36c2ed404e2 100644
--- a/sys/dev/wpi/if_wpi.c
+++ b/sys/dev/wpi/if_wpi.c
@@ -2603,6 +2603,11 @@ wpi_cmd2(struct wpi_softc *sc, struct wpi_buf *buf)
 	hdrlen = ieee80211_anyhdrsize(wh);
 	totlen = buf->m->m_pkthdr.len;
 
+	if (__predict_false(totlen < sizeof(struct ieee80211_frame_min))) {
+		error = EINVAL;
+		goto fail;
+	}
+
 	if (hdrlen & 3) {
 		/* First segment length must be a multiple of 4. */
 		pad = 4 - (hdrlen & 3);