summaryrefslogtreecommitdiffstats
path: root/net/mac80211/wpa.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2014-01-23 16:20:29 +0100
committerJohannes Berg <johannes.berg@intel.com>2014-02-04 21:58:07 +0100
commitd8ca16db6bb23d03fcb794df44bae64ae976f27c (patch)
treef577a829374c0f9daba8bf70e1ea3d6ac107089c /net/mac80211/wpa.c
parentae811e21df28deb4c2adab0a47fc3da4f56d777b (diff)
downloadlinux-stable-d8ca16db6bb23d03fcb794df44bae64ae976f27c.tar.gz
linux-stable-d8ca16db6bb23d03fcb794df44bae64ae976f27c.tar.bz2
linux-stable-d8ca16db6bb23d03fcb794df44bae64ae976f27c.zip
mac80211: add length check in ieee80211_is_robust_mgmt_frame()
A few places weren't checking that the frame passed to the function actually has enough data even though the function clearly documents it must have a payload byte. Make this safer by changing the function to take an skb and checking the length inside. The old version is preserved for now as the rtl* drivers use it and don't have a correct skb. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211/wpa.c')
-rw-r--r--net/mac80211/wpa.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 4aed45c8ee3b..b8600e3c29c8 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -494,7 +494,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
hdrlen = ieee80211_hdrlen(hdr->frame_control);
if (!ieee80211_is_data(hdr->frame_control) &&
- !ieee80211_is_robust_mgmt_frame(hdr))
+ !ieee80211_is_robust_mgmt_frame(skb))
return RX_CONTINUE;
data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -