summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Sperling <stsp@cvs.openbsd.org>2015-12-12 13:56:11 +0000
committerStefan Sperling <stsp@cvs.openbsd.org>2015-12-12 13:56:11 +0000
commit64164fda298492b4cab9883babd821cb49890486 (patch)
treefdb79599f58651a5f5aa33fd4435157dd1cfd1c4
parente2acb5cdff584c6b4b8d65a391632ae5d2d61cfc (diff)
In the A-MSDU receive code path, add an upper bounds check on A-MSDU
subframe length and a clean exit at the bottom of the subframe loop. ok mpi@
Diffstat
-rw-r--r--sys/net80211/ieee80211_input.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index 76ffe2ebcd1..66e59f1302c 100644
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ieee80211_input.c,v 1.144 2015/12/12 12:22:14 stsp Exp $ */
+/* $OpenBSD: ieee80211_input.c,v 1.145 2015/12/12 13:56:10 stsp Exp $ */
/*-
* Copyright (c) 2001 Atsushi Onoe
@@ -1061,6 +1061,13 @@ ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m,
len -= LLC_SNAPFRAMELEN;
}
len += ETHER_HDR_LEN;
+ if (len > m->m_pkthdr.len) {
+ /* stop processing A-MSDU subframes */
+ DPRINTF(("A-MSDU subframe too long (%d)\n", len));
+ ic->ic_stats.is_rx_decap++;
+ m_freem(m);
+ break;
+ }
/* "detach" our A-MSDU subframe from the others */
n = m_split(m, len, M_NOWAIT);
@@ -1072,6 +1079,10 @@ ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m,
}
ieee80211_deliver_data(ic, m, ni);
+ if (n->m_len == 0) {
+ m_freem(n);
+ break;
+ }
m = n;
/* remove padding */
pad = ((len + 3) & ~3) - len;
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-22 03:40:48 +0000