From 64164fda298492b4cab9883babd821cb49890486 Mon Sep 17 00:00:00 2001
From: Stefan Sperling <stsp@cvs.openbsd.org>
Date: Sat, 12 Dec 2015 13:56:11 +0000
Subject: In the A-MSDU receive code path, add an upper bounds check on A-MSDU
 subframe length and a clean exit at the bottom of the subframe loop. ok mpi@

---
 sys/net80211/ieee80211_input.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index 76ffe2ebcd1..66e59f1302c 100644
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_input.c,v 1.144 2015/12/12 12:22:14 stsp Exp $	*/
+/*	$OpenBSD: ieee80211_input.c,v 1.145 2015/12/12 13:56:10 stsp Exp $	*/
 
 /*-
  * Copyright (c) 2001 Atsushi Onoe
@@ -1061,6 +1061,13 @@ ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m,
 			len -= LLC_SNAPFRAMELEN;
 		}
 		len += ETHER_HDR_LEN;
+		if (len > m->m_pkthdr.len) {
+			/* stop processing A-MSDU subframes */
+			DPRINTF(("A-MSDU subframe too long (%d)\n", len));
+			ic->ic_stats.is_rx_decap++;
+			m_freem(m);
+			break;
+		}
 
 		/* "detach" our A-MSDU subframe from the others */
 		n = m_split(m, len, M_NOWAIT);
@@ -1072,6 +1079,10 @@ ieee80211_amsdu_decap(struct ieee80211com *ic, struct mbuf *m,
 		}
 		ieee80211_deliver_data(ic, m, ni);
 
+		if (n->m_len == 0) {
+			m_freem(n);
+			break;
+		}
 		m = n;
 		/* remove padding */
 		pad = ((len + 3) & ~3) - len;
-- 
cgit v1.2.3