summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Bergamini <damien@cvs.openbsd.org>2008-04-17 18:16:06 +0000
committerDamien Bergamini <damien@cvs.openbsd.org>2008-04-17 18:16:06 +0000
commitc80b29099f4e6b18aba5129b0bf8f3e96e9544f8 (patch)
tree38a1144415ea93877d7cb8eedc32cf3feb176841
parent58bd3d5d1f8766fb6f7af3e51dc4bf9ea504389a (diff)
do not blindly call ieee80211_get_hdrlen() in rt2860_rx_intr().
we may end up passing control frames (ps-poll or others) which is not supported by ieee80211_get_hdrlen(). first found by pedro la peu, reminded by jsg@ closes kernel/5750
-rw-r--r--sys/dev/ic/rt2860.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/sys/dev/ic/rt2860.c b/sys/dev/ic/rt2860.c
index 82c085e6a4e..65d2205d0ac 100644
--- a/sys/dev/ic/rt2860.c
+++ b/sys/dev/ic/rt2860.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rt2860.c,v 1.12 2008/04/16 18:32:15 damien Exp $ */
+/* $OpenBSD: rt2860.c,v 1.13 2008/04/17 18:16:05 damien Exp $ */
/*-
* Copyright (c) 2007
@@ -997,7 +997,6 @@ rt2860_rx_intr(struct rt2860_softc *sc)
struct ieee80211_frame *wh;
struct ieee80211_node *ni;
struct mbuf *m, *mnew;
- u_int hdrlen;
uint8_t ant, rssi;
int error;
#if NBPFILTER > 0
@@ -1081,10 +1080,10 @@ rt2860_rx_intr(struct rt2860_softc *sc)
m->m_pkthdr.len = m->m_len = letoh16(rxwi->len) & 0xfff;
wh = mtod(m, struct ieee80211_frame *);
- hdrlen = ieee80211_get_hdrlen(wh);
/* HW may insert 2 padding bytes after 802.11 header */
if (letoh32(rxd->flags) & RT2860_RX_L2PAD) {
+ u_int hdrlen = ieee80211_get_hdrlen(wh);
ovbcopy(wh, (caddr_t)wh + 2, hdrlen);
m->m_data += 2;
wh = mtod(m, struct ieee80211_frame *);