From: Bob Copeland Date: Tue, 14 Jul 2015 12:31:56 +0000 (-0400) Subject: mac80211: add missing length check for confirm frames X-Git-Tag: firefly_0821_release~176^2~1254^2~6^2~2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=b3e7de873df77c1fa0bc2cfaf3eaff757b80e773;p=firefly-linux-kernel-4.4.55.git mac80211: add missing length check for confirm frames Although mesh_rx_plink_frame() already checks that frames have enough bytes for the action code plus another two bytes for capability/reason code, it doesn't take into account that confirm frames also have an additional two-byte aid. As a result, a corrupt frame could cause a subsequent subtraction to wrap around to ill effect. Add another check for this case. Signed-off-by: Bob Copeland Signed-off-by: Johannes Berg --- diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c index f17127e754c9..3b59099413fb 100644 --- a/net/mac80211/mesh_plink.c +++ b/net/mac80211/mesh_plink.c @@ -1122,6 +1122,9 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, WLAN_SP_MESH_PEERING_CONFIRM) { baseaddr += 4; baselen += 4; + + if (baselen > len) + return; } ieee802_11_parse_elems(baseaddr, len - baselen, true, &elems); mesh_process_plink_frame(sdata, mgmt, &elems);