--- /dev/null
+From 6dbda2d00d466225f9db1dc695ff852443f28832 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 26 Oct 2012 00:41:23 +0200
+Subject: mac80211: make sure data is accessible in EAPOL check
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 6dbda2d00d466225f9db1dc695ff852443f28832 upstream.
+
+The code to allow EAPOL frames even when the station
+isn't yet marked associated needs to check that the
+incoming frame is long enough and due to paged RX it
+also can't assume skb->data contains the right data,
+it must use skb_copy_bits(). Fix this to avoid using
+data that doesn't really exist.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -848,14 +848,16 @@ ieee80211_rx_h_check(struct ieee80211_rx
+ */
+ if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
+ ieee80211_is_data_present(hdr->frame_control)) {
+- u16 ethertype;
+- u8 *payload;
++ unsigned int hdrlen;
++ __be16 ethertype;
+
+- payload = rx->skb->data +
+- ieee80211_hdrlen(hdr->frame_control);
+- ethertype = (payload[6] << 8) | payload[7];
+- if (cpu_to_be16(ethertype) ==
+- rx->sdata->control_port_protocol)
++ hdrlen = ieee80211_hdrlen(hdr->frame_control);
++
++ if (rx->skb->len < hdrlen + 8)
++ return RX_DROP_MONITOR;
++
++ skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2);
++ if (ethertype == rx->sdata->control_port_protocol)
+ return RX_CONTINUE;
+ }
+
projects / thirdparty / kernel / stable-queue.git / blobdiff