Check received packet length first and drop the packet
if it is shorter than MAC header. Process packet after
the checking.
Signed-off-by: Fred Chou <[email protected]>
---
net/mac80211/rx.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 688e0aa..95b8cd9 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3145,20 +3145,21 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
struct sta_info *sta, *tmp, *prev_sta;
int err = 0;
- fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
- memset(&rx, 0, sizeof(rx));
- rx.skb = skb;
- rx.local = local;
+ hdr = (struct ieee80211_hdr *)skb->data;
+ fc = hdr->frame_control;
+ /* drop frame if too short for header */
+ if (skb->len < ieee80211_hdrlen(fc)) {
+ dev_kfree_skb(skb);
+ return;
+ }
+
+ /* update counter only for reliable packet */
if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
local->dot11ReceivedFragmentCount++;
if (ieee80211_is_mgmt(fc)) {
- /* drop frame if too short for header */
- if (skb->len < ieee80211_hdrlen(fc))
- err = -ENOBUFS;
- else
- err = skb_linearize(skb);
+ err = skb_linearize(skb);
} else {
err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
}
@@ -3168,7 +3169,10 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
return;
}
- hdr = (struct ieee80211_hdr *)skb->data;
+ memset(&rx, 0, sizeof(rx));
+ rx.skb = skb;
+ rx.local = local;
+
ieee80211_parse_qos(&rx);
ieee80211_verify_alignment(&rx);
--
1.7.9.5
On Mon, 2013-12-23 at 19:42 +0800, Fred Chou wrote:
> Check received packet length first and drop the packet
> if it is shorter than MAC header. Process packet after
> the checking.
Why do you think we should do this? Your commit message is also
misleading - we already check that the patch is long enough. Too short
packets should be relatively rare anyway.
johannes