mac80211: fix action frame length checks The action frame length checks are one too small, there's not just an action code as the comment makes you believe, there's a category code too, and the category code is required in each action frame (hence part of IEEE80211_MIN_ACTION_SIZE). Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>

commit: 9c80d3dc272ec5ce44a7564e5392f950ad38357a [log] [tgz]
author: Johannes Berg <johannes@sipsolutions.net> Mon Sep 08 15:41:59 2008 +0200
committer: John W. Linville <linville@tuxdriver.com> Thu Sep 11 15:53:35 2008 -0400
tree: 43b8e45567c790212581b117e9d06ae5f5fd975b
parent: 5bda617576e58c7213aef5ab90383f303727b5b1 [diff] [blame]
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ae97d7e..eb1832a 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c

@@ -60,7 +60,7 @@
 
 #define ERP_INFO_USE_PROTECTION BIT(1)
 
-/* mgmt header + 1 byte action code */
+/* mgmt header + 1 byte category code */
 #define IEEE80211_MIN_ACTION_SIZE (24 + 1)
 
 #define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
@@ -2988,7 +2988,8 @@
 {
 	struct ieee80211_local *local = sdata->local;
 
-	if (len < IEEE80211_MIN_ACTION_SIZE)
+	/* all categories we currently handle have action_code */
+	if (len < IEEE80211_MIN_ACTION_SIZE + 1)
 		return;
 
 	switch (mgmt->u.action.category) {
commit	9c80d3dc272ec5ce44a7564e5392f950ad38357a	[log] [tgz]
author	Johannes Berg <johannes@sipsolutions.net>	Mon Sep 08 15:41:59 2008 +0200
committer	John W. Linville <linville@tuxdriver.com>	Thu Sep 11 15:53:35 2008 -0400
tree	43b8e45567c790212581b117e9d06ae5f5fd975b
parent	5bda617576e58c7213aef5ab90383f303727b5b1 [diff] [blame]