From patchwork Wed Aug 12 18:03:44 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Cardona X-Patchwork-Id: 40934 Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n7CIFvdt021138 for ; Wed, 12 Aug 2009 18:15:57 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752781AbZHLSPb (ORCPT ); Wed, 12 Aug 2009 14:15:31 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752772AbZHLSPb (ORCPT ); Wed, 12 Aug 2009 14:15:31 -0400 Received: from rv-out-0506.google.com ([209.85.198.238]:38253 "EHLO rv-out-0506.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751336AbZHLSP3 (ORCPT ); Wed, 12 Aug 2009 14:15:29 -0400 Received: by rv-out-0506.google.com with SMTP id f6so67731rvb.1 for ; Wed, 12 Aug 2009 11:15:31 -0700 (PDT) Received: by 10.140.192.14 with SMTP id p14mr153719rvf.254.1250100931112; Wed, 12 Aug 2009 11:15:31 -0700 (PDT) Received: from localhost (adsl-71-156-104-53.dsl.pltn13.sbcglobal.net [71.156.104.53]) by mx.google.com with ESMTPS id k2sm36635829rvb.57.2009.08.12.11.15.29 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 12 Aug 2009 11:15:30 -0700 (PDT) From: Javier Cardona To: linux-wireless@vger.kernel.org Cc: David Woo , Javier Cardona , andrey@cozybit.com, johannes@sipsolutions.net, linville@tuxdriver.com, devel@lists.open80211s.org Subject: [PATCH 2/2] mac80211: Fix invalid length passed to IE parser for PLINK CONFIRM frames Date: Wed, 12 Aug 2009 11:03:44 -0700 Message-Id: <1250100224-23832-3-git-send-email-javier@cozybit.com> X-Mailer: git-send-email 1.5.4.3 In-Reply-To: <1250100224-23832-2-git-send-email-javier@cozybit.com> References: <4A82639F.6000908@realsil.com.cn> <1250100224-23832-1-git-send-email-javier@cozybit.com> <1250100224-23832-2-git-send-email-javier@cozybit.com> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: David Woo The length of the fixed portion of plink confirm frames is 4 bytes longer than the other plink_action frames. This path corrects an error in the length adjustment done for these type of frames. Signed-off-by: Javier Cardona --- net/mac80211/mesh_plink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c index 7c49c95..3575fe3 100644 --- a/net/mac80211/mesh_plink.c +++ b/net/mac80211/mesh_plink.c @@ -415,7 +415,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m baselen = (u8 *) mgmt->u.action.u.plink_action.variable - (u8 *) mgmt; if (mgmt->u.action.u.plink_action.action_code == PLINK_CONFIRM) { baseaddr += 4; - baselen -= 4; + baselen += 4; } ieee802_11_parse_elems(baseaddr, len - baselen, &elems); if (!elems.peer_link) {