mac80211: pass in PS_POLL frames

author Ron Rindjunsky <ron.rindjunsky@intel.com>

Tue, 18 Dec 2007 15:23:53 +0000 (17:23 +0200)

committer David S. Miller <davem@davemloft.net>

Mon, 28 Jan 2008 22:59:16 +0000 (14:59 -0800)
author Ron Rindjunsky <ron.rindjunsky@intel.com>
Tue, 18 Dec 2007 15:23:53 +0000 (17:23 +0200)
committer David S. Miller <davem@davemloft.net>
Mon, 28 Jan 2008 22:59:16 +0000 (14:59 -0800)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c

index 9cd59ecbcd674ddefd4cf6c3da13d3651bd6cfa6..e65da5780cd38780ed6eccd2876b93077ccfbbfc 100644 (file)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -61,8 +61,10 @@ static inline int should_drop_frame(struct ieee80211_rx_status *status,
                 return 1;
         if (unlikely(skb->len < 16 + present_fcs_len + radiotap_len))
                 return 1;
-       if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FTYPE)) ==
-                       cpu_to_le16(IEEE80211_FTYPE_CTL))
+       if (((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FTYPE)) ==
+                       cpu_to_le16(IEEE80211_FTYPE_CTL)) &&
+           ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE)) !=
+                       cpu_to_le16(IEEE80211_STYPE_PSPOLL)))
                 return 1;
         return 0;
  }
@@ -896,6 +898,7 @@ ieee80211_rx_h_defragment(struct ieee80211_txrx_data *rx)
  static ieee80211_txrx_result
  ieee80211_rx_h_ps_poll(struct ieee80211_txrx_data *rx)
  {
+       struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev);
         struct sk_buff *skb;
         int no_pending_pkts;
         DECLARE_MAC_BUF(mac);
@@ -906,6 +909,10 @@ ieee80211_rx_h_ps_poll(struct ieee80211_txrx_data *rx)
                    !(rx->flags & IEEE80211_TXRXD_RXRA_MATCH)))
                 return TXRX_CONTINUE;
  
+       if ((sdata->type != IEEE80211_IF_TYPE_AP) &&
+           (sdata->type != IEEE80211_IF_TYPE_VLAN))
+               return TXRX_DROP;
+
         skb = skb_dequeue(&rx->sta->tx_filtered);
         if (!skb) {
                 skb = skb_dequeue(&rx->sta->ps_tx_buf);
diff --git a/net/mac80211/util.c b/net/mac80211/util.c

index 7b278e9aa1a46a7e7728250825139ea2b15adde5..fb7fd896cd0d81f74ed07df845034a8f49e13d18 100644 (file)
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -135,13 +135,16 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len)
  {
         u16 fc;
  
-       if (len < 24)
+        /* drop ACK/CTS frames and incorrect hdr len (ctrl) */
+       if (len < 16)
                 return NULL;
  
         fc = le16_to_cpu(hdr->frame_control);
  
         switch (fc & IEEE80211_FCTL_FTYPE) {
         case IEEE80211_FTYPE_DATA:
+               if (len < 24) /* drop incorrect hdr len (data) */
+                       return NULL;
                 switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) {
                 case IEEE80211_FCTL_TODS:
                         return hdr->addr1;
@@ -154,6 +157,8 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len)
                 }
                 break;
         case IEEE80211_FTYPE_MGMT:
+               if (len < 24) /* drop incorrect hdr len (mgmt) */
+                       return NULL;
                 return hdr->addr3;
         case IEEE80211_FTYPE_CTL:
                 if ((fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL)
author	Ron Rindjunsky <ron.rindjunsky@intel.com>
	Tue, 18 Dec 2007 15:23:53 +0000 (17:23 +0200)
committer	David S. Miller <davem@davemloft.net>
	Mon, 28 Jan 2008 22:59:16 +0000 (14:59 -0800)
net/mac80211/rx.c		patch \| blob \| history
net/mac80211/util.c		patch \| blob \| history