Fix wrong asresp frame parsing in iwi_checkforqos().

After 8.0-RELEASE, iwi(4) doesn't send any data frames in infrastructure
mode.

Bacause of the condition `while (frm < efrm)', IEEE80211_VERIFY_LENGTH()
was checking item length beyond the ieee80211_frame region, and returned
from iwi_checkforqos() without setting flags, capinfo and associd.

In infrastructure mode associd is required, so this problem causes
discarding mbuf in ieee80211_start().

PR:	kern/165819
Tested/Reviewed/Supported by: bschmidt and adrian
MFC after:	1 week
This commit is contained in:
iwasaki 2012-03-10 17:08:57 +00:00
parent eaf47d1cd7
commit de7ad4a179

View File

@ -1357,8 +1357,8 @@ iwi_checkforqos(struct ieee80211vap *vap,
frm += 2;
wme = NULL;
while (frm < efrm) {
IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1], return);
while (efrm - frm > 1) {
IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
switch (*frm) {
case IEEE80211_ELEMID_VENDOR:
if (iswmeoui(frm))