From owner-freebsd-bugs@FreeBSD.ORG  Sun Feb  7 09:00:12 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CA77D106568D
	for <freebsd-bugs@hub.freebsd.org>;
	Sun,  7 Feb 2010 09:00:12 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id BB0E48FC1B
	for <freebsd-bugs@hub.freebsd.org>;
	Sun,  7 Feb 2010 09:00:12 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o1790CqX027129
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 7 Feb 2010 09:00:12 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o1790CZn027128;
	Sun, 7 Feb 2010 09:00:12 GMT (envelope-from gnats)
Date: Sun, 7 Feb 2010 09:00:12 GMT
Message-Id: <201002070900.o1790CZn027128@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Alexander Egorenkov <egorenar@googlemail.com>
Cc: 
Subject: Re: kern/143627: [ieee80211] A bug in ht_send_action_ba_addba
	causes net80211 to send malformed ADDBA response frames
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Alexander Egorenkov <egorenar@googlemail.com>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2010 09:00:12 -0000

The following reply was made to PR kern/143627; it has been noted by GNATS.

From: Alexander Egorenkov <egorenar@googlemail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/143627: [ieee80211] A bug in ht_send_action_ba_addba causes 
	net80211 to send malformed ADDBA response frames
Date: Sun, 7 Feb 2010 09:56:04 +0100

 --00148530b918d1526d047efeda9b
 Content-Type: text/plain; charset=ISO-8859-1
 
 Here is a simpler version of the fix.
 
 if (m != NULL) {
     *frm++ = category;
     *frm++ = action;
     *frm++ = args[0];              /* dialog token */
     ADDSHORT(frm, args[1]); /* baparamset(ADDBA req) or status code(ADDBA
 resp) */
     ADDSHORT(frm, args[2]); /* batimeout(ADDBA req) or baparamset(ADDBA
 resp) */
     ADDSHORT(frm, args[3]); /* baseqctl(ADDBA req) or batimeout(ADDBA resp)
 */
 
     m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
     return ht_action_output(ni, m);
 } else {
     vap->iv_stats.is_tx_nobuf++;
     ieee80211_free_node(ni);
     return ENOMEM;
 }
 
 --00148530b918d1526d047efeda9b
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 Here is a simpler version of the fix.<br><br>if (m !=3D NULL) {<br>=A0=A0=
 =A0
 		*frm++ =3D category;<br>=A0=A0=A0
 		*frm++ =3D action;<br>=A0=A0=A0
 		   *frm++ =3D args[0];=A0=A0	=A0 =A0 =A0 =A0 =A0=A0	/* dialog token */<br=
 >=A0=A0=A0
 		   ADDSHORT(frm, args[1]);	/* baparamset(ADDBA req) or status code(ADDBA =
 resp) */<br>=A0=A0=A0
 		   ADDSHORT(frm, args[2]);	/* batimeout(ADDBA req) or baparamset(ADDBA re=
 sp) */<br>=A0=A0=A0
 	           ADDSHORT(frm, args[3]);	/* baseqctl(ADDBA req) or batimeout(ADD=
 BA resp) */<br><br>=A0=A0=A0
 		m-&gt;m_pkthdr.len =3D m-&gt;m_len =3D frm - mtod(m, uint8_t *);<br>=A0=
 =A0=A0
 		return ht_action_output(ni, m);<br>
 	} else {<br>=A0=A0=A0
 		vap-&gt;iv_stats.is_tx_nobuf++;<br>=A0=A0=A0
 		ieee80211_free_node(ni);<br>=A0=A0=A0
 		return ENOMEM;<br>
 	}<br>
 
 --00148530b918d1526d047efeda9b--