mac80211: explicitly check skb->len
authorHarvey Harrison <harvey.harrison@gmail.com>
Wed, 16 Jul 2008 01:44:05 +0000 (18:44 -0700)
committerJohn W. Linville <linville@tuxdriver.com>
Fri, 22 Aug 2008 20:29:53 +0000 (16:29 -0400)
ieee80211_get_hdrlen_from_skb internally checks the skb is long enough to
hold the full ieee80211_hdr, else it returns zero.  Use ieee80211_hdrlen
which always returns the hdrlen and check the remaining room in the
skb explicitly when removing encryption headers or the qos control field.

Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/mac80211/main.c

index aa5a191598c9f1a6ab487abbfdeb964ee2fae4f9..f5537f90dd367f731a68cb78be17b2a30ae524ea 100644 (file)
@@ -1244,9 +1244,10 @@ static void ieee80211_remove_tx_extra(struct ieee80211_local *local,
                                      struct ieee80211_key *key,
                                      struct sk_buff *skb)
 {
-       int hdrlen, iv_len, mic_len;
+       unsigned int hdrlen, iv_len, mic_len;
+       struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
 
-       hdrlen = ieee80211_get_hdrlen_from_skb(skb);
+       hdrlen = ieee80211_hdrlen(hdr->frame_control);
 
        if (!key)
                goto no_key;
@@ -1268,24 +1269,20 @@ static void ieee80211_remove_tx_extra(struct ieee80211_local *local,
                goto no_key;
        }
 
-       if (skb->len >= mic_len &&
+       if (skb->len >= hdrlen + mic_len &&
            !(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE))
                skb_trim(skb, skb->len - mic_len);
-       if (skb->len >= iv_len && skb->len > hdrlen) {
+       if (skb->len >= hdrlen + iv_len) {
                memmove(skb->data + iv_len, skb->data, hdrlen);
-               skb_pull(skb, iv_len);
+               hdr = (struct ieee80211_hdr *)skb_pull(skb, iv_len);
        }
 
 no_key:
-       {
-               struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
-               u16 fc = le16_to_cpu(hdr->frame_control);
-               if ((fc & 0x8C) == 0x88) /* QoS Control Field */ {
-                       fc &= ~IEEE80211_STYPE_QOS_DATA;
-                       hdr->frame_control = cpu_to_le16(fc);
-                       memmove(skb->data + 2, skb->data, hdrlen - 2);
-                       skb_pull(skb, 2);
-               }
+       if (ieee80211_is_data_qos(hdr->frame_control)) {
+               hdr->frame_control &= ~cpu_to_le16(IEEE80211_STYPE_QOS_DATA);
+               memmove(skb->data + IEEE80211_QOS_CTL_LEN, skb->data,
+                       hdrlen - IEEE80211_QOS_CTL_LEN);
+               skb_pull(skb, IEEE80211_QOS_CTL_LEN);
        }
 }