The firmware does pad notifications to an even number of bytes (at least

the association notification), the included information though always contains an elem block with an odd number of bytes. We handle the last byte as if it might contain a whole elem block, this of course is not true as one byte is not enough to hold a block, we therefore discard the complete frame. The solution here is to subtract one from the actual notification length, this is also what the Linux driver does. With this change the frames ends exactly where the last elem block ends. This commit also reverts r214160 which is no longer required and now even wrong. MFC after: 1 week
2010-10-23 11:26:22 +00:00 · 2010-10-23 11:26:22 +00:00 · 82510b7eca
commit 82510b7eca
parent 0d2f5a4eaa
1 changed files with 2 additions and 2 deletions
--- a/sys/dev/iwi/if_iwi.c
+++ b/sys/dev/iwi/if_iwi.c
@ -1356,7 +1356,7 @@ iwi_checkforqos(struct ieee80211vap *vap,

 	wme = NULL;
 	while (frm < efrm) {
-		IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1], break);
+		IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1], return);
 		switch (*frm) {
 		case IEEE80211_ELEMID_VENDOR:
 			if (iswmeoui(frm))
@ -1483,7 +1483,7 @@ iwi_notification_intr(struct iwi_softc *sc, struct iwi_notif *notif)
 			IWI_STATE_END(sc, IWI_FW_ASSOCIATING);
 			iwi_checkforqos(vap,
 			    (const struct ieee80211_frame *)(assoc+1),
-			    le16toh(notif->len) - sizeof(*assoc));
+			    le16toh(notif->len) - sizeof(*assoc) - 1);
 			ieee80211_new_state(vap, IEEE80211_S_RUN, -1);
 			break;
 		case IWI_ASSOC_INIT: