From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.01.org
Subject: [PATCH] frame-xchg: fix incorrect length check
Date: Mon, 22 Jun 2020 08:25:16 -0700 [thread overview]
Message-ID: <20200622152516.22006-1-prestwoj@gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1406 bytes --]
frame_xchg_startv was using sizeof(mmpdu) to check the minimum length
for a frame. Instead mmpdu_header_len should be used since this checks
fc.order and returns either 24 or 28 bytes, not 28 bytes always.
This change adds the requirement that the first iovec in the array
must contain at least the first 2 bytes (mmpdu_fc) of the header.
This really shouldn't be a problem since all current users of
frame-xchg put the entire header (or entire frame) into the first
iovec in the array.
---
src/frame-xchg.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/frame-xchg.c b/src/frame-xchg.c
index dd60e080..3744a4c1 100644
--- a/src/frame-xchg.c
+++ b/src/frame-xchg.c
@@ -1090,12 +1090,17 @@ uint32_t frame_xchg_startv(uint64_t wdev_id, struct iovec *frame, uint32_t freq,
size_t frame_len;
struct iovec *iov;
uint8_t *ptr;
- struct mmpdu_header *mpdu;
for (frame_len = 0, iov = frame; iov->iov_base; iov++)
frame_len += iov->iov_len;
- if (frame_len < sizeof(*mpdu)) {
+ /*
+ * This assumes that the first iovec@least contains the mmpdu_fc
+ * portion of the header used to calculate the minimum length.
+ */
+ if (frame[0].iov_len >= 2 && frame_len <
+ mmpdu_header_len((const struct mmpdu_header *)
+ frame[0].iov_base)) {
l_error("Frame too short");
cb(-EMSGSIZE, user_data);
return 0;
--
2.21.1
next reply other threads:[~2020-06-22 15:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-22 15:25 James Prestwood [this message]
2020-06-22 15:30 ` [PATCH] frame-xchg: fix incorrect length check Denis Kenzior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200622152516.22006-1-prestwoj@gmail.com \
--to=prestwoj@gmail.com \
--cc=iwd@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox