Commit 70bdb6b2 authored by David Woo's avatar David Woo Committed by John W. Linville

mac80211: Fix invalid length passed to IE parser for PLINK CONFIRM frames

The length of the fixed portion of plink confirm frames is 4 bytes longer than
the other plink_action frames.  This path corrects an error in the length
adjustment done for these type of frames.
Signed-off-by: default avatarJavier Cardona <javier@cozybit.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 57ef5ddb
...@@ -409,7 +409,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m ...@@ -409,7 +409,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
baselen = (u8 *) mgmt->u.action.u.plink_action.variable - (u8 *) mgmt; baselen = (u8 *) mgmt->u.action.u.plink_action.variable - (u8 *) mgmt;
if (mgmt->u.action.u.plink_action.action_code == PLINK_CONFIRM) { if (mgmt->u.action.u.plink_action.action_code == PLINK_CONFIRM) {
baseaddr += 4; baseaddr += 4;
baselen -= 4; baselen += 4;
} }
ieee802_11_parse_elems(baseaddr, len - baselen, &elems); ieee802_11_parse_elems(baseaddr, len - baselen, &elems);
if (!elems.peer_link) { if (!elems.peer_link) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment