[PATCH] frame-xchg: fix incorrect length check

* [PATCH] frame-xchg: fix incorrect length check
@ 2020-06-22 15:25 James Prestwood
  2020-06-22 15:30 ` Denis Kenzior
  0 siblings, 1 reply; 2+ messages in thread
From: James Prestwood @ 2020-06-22 15:25 UTC (permalink / raw)
  To: iwd

[-- Attachment #1: Type: text/plain, Size: 1406 bytes --]

frame_xchg_startv was using sizeof(mmpdu) to check the minimum length
for a frame. Instead mmpdu_header_len should be used since this checks
fc.order and returns either 24 or 28 bytes, not 28 bytes always.

This change adds the requirement that the first iovec in the array
must contain at least the first 2 bytes (mmpdu_fc) of the header.
This really shouldn't be a problem since all current users of
frame-xchg put the entire header (or entire frame) into the first
iovec in the array.
---
 src/frame-xchg.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/frame-xchg.c b/src/frame-xchg.c
index dd60e080..3744a4c1 100644
--- a/src/frame-xchg.c
+++ b/src/frame-xchg.c
@@ -1090,12 +1090,17 @@ uint32_t frame_xchg_startv(uint64_t wdev_id, struct iovec *frame, uint32_t freq,
 	size_t frame_len;
 	struct iovec *iov;
 	uint8_t *ptr;
-	struct mmpdu_header *mpdu;
 
 	for (frame_len = 0, iov = frame; iov->iov_base; iov++)
 		frame_len += iov->iov_len;
 
-	if (frame_len < sizeof(*mpdu)) {
+	/*
+	 * This assumes that the first iovec@least contains the mmpdu_fc
+	 * portion of the header used to calculate the minimum length.
+	 */
+	if (frame[0].iov_len >= 2 && frame_len <
+				mmpdu_header_len((const struct mmpdu_header *)
+				frame[0].iov_base)) {
 		l_error("Frame too short");
 		cb(-EMSGSIZE, user_data);
 		return 0;
-- 
2.21.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread