Date: Sat, 10 Mar 2012 17:08:57 +0000 (UTC) From: Mitsuru IWASAKI <iwasaki@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r232785 - head/sys/dev/iwi Message-ID: <201203101708.q2AH8vIJ065240@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: iwasaki Date: Sat Mar 10 17:08:57 2012 New Revision: 232785 URL: http://svn.freebsd.org/changeset/base/232785 Log: Fix wrong asresp frame parsing in iwi_checkforqos(). After 8.0-RELEASE, iwi(4) doesn't send any data frames in infrastructure mode. Bacause of the condition `while (frm < efrm)', IEEE80211_VERIFY_LENGTH() was checking item length beyond the ieee80211_frame region, and returned from iwi_checkforqos() without setting flags, capinfo and associd. In infrastructure mode associd is required, so this problem causes discarding mbuf in ieee80211_start(). PR: kern/165819 Tested/Reviewed/Supported by: bschmidt and adrian MFC after: 1 week Modified: head/sys/dev/iwi/if_iwi.c Modified: head/sys/dev/iwi/if_iwi.c ============================================================================== --- head/sys/dev/iwi/if_iwi.c Sat Mar 10 15:08:37 2012 (r232784) +++ head/sys/dev/iwi/if_iwi.c Sat Mar 10 17:08:57 2012 (r232785) @@ -1357,8 +1357,8 @@ iwi_checkforqos(struct ieee80211vap *vap frm += 2; wme = NULL; - while (frm < efrm) { - IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1], return); + while (efrm - frm > 1) { + IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return); switch (*frm) { case IEEE80211_ELEMID_VENDOR: if (iswmeoui(frm))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201203101708.q2AH8vIJ065240>