Changeset 2296

Timestamp:

04/26/07 23:46:12 (5 years ago)

Author:

mentor

Message:

Have athff_decap check that there is enough data in the frame for the headers it tries to use.

This patch changes the variable frame_len to an unsigned variable for safety. This variable is referenced 4 times, including declaration; all expect an unsigned values, and there are no cross-type comparisons. The code type-checks and compiles with gcc-4.1 and linux-2.6.20.

Files:

• trunk/net80211/ieee80211_input.c (modified) (10 diffs)

trunk/net80211/ieee80211_input.c

@@ -126 +126 @@
-
-#ifdef ATH_SUPERG_FF
-void
+int
-#endif
-#ifdef USE_HEADERLEN_RESV
@@ -690 +690 @@
-                        struct ether_header *eh_tmp;
-                        struct athl2p_tunnel_hdr *ath_hdr;
-
+unsigned 
-
-                        /* NB: assumes linear (i.e., non-fragmented) skb */
@@ -715 +715 @@
-                        /* move past the tunneled header, with alignment */
-                        skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
+                        eh_tmp = (struct ether_header *)skb->data;
+                        
+                        /* ether_type must be length as FF frames are always LLC/SNAP encap'd */
+                        frame_len = ntohs(eh_tmp->ether_type);
-
-                        skb1 = skb_clone(skb, GFP_ATOMIC); /* XXX: GFP_ATOMIC is overkill? */
-
-
-
-
-
-
+
+
+
-                        athff_decap(skb);
-
@@ -730 +731 @@
-                        /* prepare second tunneled frame */
-                        skb_pull(skb1, roundup(sizeof(struct ether_header) + frame_len, 4));
-
-
-
+
+
+
+
+
+
+
+
+
+
-
-                        /* deliver the frames */
@@ -1153 +1161 @@
-}
-
+/* This function removes the 802.11 header, including LLC/SNAP headers and 
+ * replaces it with an Ethernet II header. */
-static struct sk_buff *
-ieee80211_decap(struct ieee80211vap *vap, struct sk_buff *skb, int hdrlen)
@@ -1161 +1171 @@
-        __be16 ether_type = 0;
-
-
+
+
-        llc = (struct llc *) skb_pull(skb, hdrlen);
-        if (skb->len >= LLC_SNAPFRAMELEN &&
@@ -1167 +1178 @@
-            llc->llc_control == LLC_UI && llc->llc_snap.org_code[0] == 0 &&
-            llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0) {
+                
-                ether_type = llc->llc_un.type_snap.ether_type;
-                skb_pull(skb, LLC_SNAPFRAMELEN);
-                llc = NULL;
-        }
+
-        eh = (struct ether_header *) skb_push(skb, sizeof(struct ether_header));
-        switch (wh.i_fc[1] & IEEE80211_FC1_DIR_MASK) {
@@ -1190 +1203 @@
-                break;
-        }
+
+        if (llc != NULL)
+                eh->ether_type = ether_type;
+        else
+                eh->ether_type = htons(skb->len - sizeof(*eh));
+        
-        if (!ALIGNED_POINTER(skb->data + sizeof(*eh), u_int32_t)) {
-n
-
-
-n
+tskb
+
+:
+tskb
-                dev_kfree_skb(skb);
-
-
-
-
-
-
-
-
-
+
+
-        return skb;
-}
@@ -3665 +3677 @@
-
-#ifdef ATH_SUPERG_FF
-void
+int
-athff_decap(struct sk_buff *skb)
-{
-        struct ether_header eh_src, *eh_dst;
-        struct llc *llc;
+
+        if (skb->len < (sizeof(struct ether_header) + LLC_SNAPFRAMELEN))
+                return -1;
-
-        memcpy(&eh_src, skb->data, sizeof(struct ether_header));
@@ -3678 +3693 @@
-        eh_dst = (struct ether_header *) skb_push(skb, sizeof(struct ether_header));
-        memcpy(eh_dst, &eh_src, sizeof(struct ether_header));
+
+        return 0;
-}
-#endif