Staging: wlan-ng: p80211conv.c copy code from wlan-ng-devel branch to not drop packets
From: Richard Kennedy
Date: Mon Nov 03 2008 - 06:24:54 EST
allow card to correctly receive network packets,
without this change all incoming packets are dropped.
code copied from the latest wlan-ng-devel tree.
Signed-off-by: Richard Kennedy <richard@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
drivers/staging/wlan-ng/p80211conv.c | 49 ++++++++++++++++++++++++++++++++++-
1 file changed, 48 insertions(+), 1 deletion(-)
--- a/drivers/staging/wlan-ng/p80211conv.c
+++ b/drivers/staging/wlan-ng/p80211conv.c
@@ -377,6 +377,14 @@ int skb_p80211_to_ether( wlandevice_t *w
(memcmp(saddr, e_hdr->saddr, WLAN_ETHADDR_LEN) == 0))) {
WLAN_LOG_DEBUG(3, "802.3 ENCAP len: %d\n", payload_length);
/* 802.3 Encapsulated */
+ /* Test for an overlength frame */
+ if ( payload_length > (netdev->mtu + WLAN_ETHHDR_LEN)) {
+ /* A bogus length ethfrm has been encap'd. */
+ /* Is someone trying an oflow attack? */
+ WLAN_LOG_ERROR("ENCAP frame too large (%d > %d)\n",
+ payload_length, netdev->mtu + WLAN_ETHHDR_LEN);
+ return 1;
+ }
/* Chop off the 802.11 header. it's already sane. */
skb_pull(skb, payload_offset);
@@ -396,6 +404,15 @@ int skb_p80211_to_ether( wlandevice_t *w
/* it's a SNAP + RFC1042 frame && protocol is in STT */
/* build 802.3 + RFC1042 */
+ /* Test for an overlength frame */
+ if ( payload_length > netdev->mtu ) {
+ /* A bogus length ethfrm has been sent. */
+ /* Is someone trying an oflow attack? */
+ WLAN_LOG_ERROR("SNAP frame too large (%d > %d)\n",
+ payload_length, netdev->mtu);
+ return 1;
+ }
+
/* chop 802.11 header from skb. */
skb_pull(skb, payload_offset);
@@ -416,6 +433,18 @@ int skb_p80211_to_ether( wlandevice_t *w
/* it's an 802.1h frame || (an RFC1042 && protocol is not in STT) */
/* build a DIXII + RFC894 */
+ /* Test for an overlength frame */
+ if ((payload_length - sizeof(wlan_llc_t) - sizeof(wlan_snap_t))
+ > netdev->mtu) {
+ /* A bogus length ethfrm has been sent. */
+ /* Is someone trying an oflow attack? */
+ WLAN_LOG_ERROR("DIXII frame too large (%ld > %d)\n",
+ (long int) (payload_length - sizeof(wlan_llc_t) -
+ sizeof(wlan_snap_t)),
+ netdev->mtu);
+ return 1;
+ }
+
/* chop 802.11 header from skb. */
skb_pull(skb, payload_offset);
@@ -440,6 +469,16 @@ int skb_p80211_to_ether( wlandevice_t *w
/* build an 802.3 frame */
/* allocate space and setup hostbuf */
+ /* Test for an overlength frame */
+ if ( payload_length > netdev->mtu ) {
+ /* A bogus length ethfrm has been sent. */
+ /* Is someone trying an oflow attack? */
+ WLAN_LOG_ERROR("OTHER frame too large (%d > %d)\n",
+ payload_length,
+ netdev->mtu);
+ return 1;
+ }
+
/* Chop off the 802.11 header. */
skb_pull(skb, payload_offset);
@@ -454,8 +493,16 @@ int skb_p80211_to_ether( wlandevice_t *w
}
+ /*
+ * Note that eth_type_trans() expects an skb w/ skb->data pointing
+ * at the MAC header, it then sets the following skb members:
+ * skb->mac_header,
+ * skb->data, and
+ * skb->pkt_type.
+ * It then _returns_ the value that _we're_ supposed to stuff in
+ * skb->protocol. This is nuts.
+ */
skb->protocol = eth_type_trans(skb, netdev);
- skb_reset_mac_header(skb);
/* jkriegl: process signal and noise as set in hfa384x_int_rx() */
/* jkriegl: only process signal/noise if requested by iwspy */
Patches currently in gregkh-2.6 which might be from richard@xxxxxxxxxxxxxxx are
staging/staging-wlan-ng-hfa384x_usb.c-use-newest-version-of-384x_drvr_start.patch
staging/staging-wlan-ng-hfa384x_usbin_callback-check-for-hardware-removed.patch
staging/staging-wlan-ng-p80211conv.c-copy-code-from-wlan-ng-devel-branch-to-not-drop-packets.patch
staging/staging-wlan-ng-p80211netdev.c-fix-netdev-alloc-to-prevent-oops-on-device-start.patch
staging/staging-wlan-ng-p80211wext.c-add-latest-changes-remove-extra-nulls-from-wext_handlers.patch
staging/staging-wlan-ng-p80211wext-don-t-set-default-key-id-twice.patch
staging/staging-wlan-ng-prism2_usb.c-always-enable-the-card-in-probe_usb.patch
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/