svn commit: r195558 - projects/mesh11s/sys/net80211

[Rui Paulo]

Author: rpaulo
Date: Fri Jul 10 13:14:02 2009
New Revision: 195558
URL: http://svn.freebsd.org/changeset/base/195558

Log:
  Check the lenght of some IEs.
  
  Sponsored by:	The FreeBSD Foundation

Modified:
  projects/mesh11s/sys/net80211/ieee80211_hwmp.c

Modified: projects/mesh11s/sys/net80211/ieee80211_hwmp.c
==============================================================================
--- projects/mesh11s/sys/net80211/ieee80211_hwmp.c	Fri Jul 10 12:15:23 2009	(r195557)
+++ projects/mesh11s/sys/net80211/ieee80211_hwmp.c	Fri Jul 10 13:14:02 2009	(r195558)
@@ -286,12 +286,20 @@ hwmp_recv_action_meshpath_preq(struct ie
 		if (*iefrm == IEEE80211_ELEMID_MESHPREQ) {
 			const struct ieee80211_meshpreq_ie *mpreq =
 			    (const struct ieee80211_meshpreq_ie *) iefrm;
+			/* XXX > 1 target */
+			if (mpreq->preq_len !=
+			    sizeof(struct ieee80211_meshpreq_ie) - 2) {
+				IEEE80211_DISCARD(vap,
+				    IEEE80211_MSG_ACTION | IEEE80211_MSG_HWMP,
+				    wh, NULL, "%s", "PREQ with wrong len");
+				vap->iv_stats.is_rx_mgtdiscard++;
+				return 1;
+			}
 			memcpy(&preq, mpreq, sizeof(preq));
 			preq.preq_id = LE_READ_4(&mpreq->preq_id);
 			preq.preq_origseq = LE_READ_4(&mpreq->preq_origseq);
 			preq.preq_lifetime = LE_READ_4(&mpreq->preq_lifetime);
 			preq.preq_metric = LE_READ_4(&mpreq->preq_metric);
-			/* XXX > 1 target */
 			preq.preq_targets[0].target_seq =
 			    LE_READ_4(&mpreq->preq_targets[0].target_seq);
 			hwmp_recv_preq(vap, ni, wh, &preq);
@@ -319,6 +327,14 @@ hwmp_recv_action_meshpath_prep(struct ie
 		if (*iefrm == IEEE80211_ELEMID_MESHPREP) {
 			const struct ieee80211_meshprep_ie *mprep =
 			    (const struct ieee80211_meshprep_ie *) iefrm;
+			if (mprep->prep_len !=
+			    sizeof(struct ieee80211_meshprep_ie) - 2) {
+				IEEE80211_DISCARD(vap,
+				    IEEE80211_MSG_ACTION | IEEE80211_MSG_HWMP,
+				    wh, NULL, "%s", "PREP with wrong len");
+				vap->iv_stats.is_rx_mgtdiscard++;
+				return 1;
+			}
 			memcpy(&prep, mprep, sizeof(prep));
 			prep.prep_targetseq = LE_READ_4(&mprep->prep_targetseq);
 			prep.prep_lifetime = LE_READ_4(&mprep->prep_lifetime);
@@ -349,8 +365,16 @@ hwmp_recv_action_meshpath_perr(struct ie
 		if (*iefrm == IEEE80211_ELEMID_MESHPERR) {
 			const struct ieee80211_meshperr_ie *mperr =
 			    (const struct ieee80211_meshperr_ie *) iefrm;
-			memcpy(&perr, mperr, sizeof(perr));
 			/* XXX > 1 target */
+			if (mperr->perr_len !=
+			    sizeof(struct ieee80211_meshperr_ie) - 2) {
+				IEEE80211_DISCARD(vap,
+				    IEEE80211_MSG_ACTION | IEEE80211_MSG_HWMP,
+				    wh, NULL, "%s", "PERR with wrong len");
+				vap->iv_stats.is_rx_mgtdiscard++;
+				return 1;
+			}
+			memcpy(&perr, mperr, sizeof(perr));
 			perr.perr_dests[0].dest_seq =
 			    LE_READ_4(&mperr->perr_dests[0].dest_seq);
 			hwmp_recv_perr(vap, ni, wh, &perr);
@@ -378,6 +402,14 @@ hwmp_recv_action_meshpath_rann(struct ie
 		if (*iefrm == IEEE80211_ELEMID_MESHRANN) {
 			const struct ieee80211_meshrann_ie *mrann =
 			    (const struct ieee80211_meshrann_ie *) iefrm;
+			if (mrann->rann_len !=
+			    sizeof(struct ieee80211_meshrann_ie) - 2) {
+				IEEE80211_DISCARD(vap,
+				    IEEE80211_MSG_ACTION | IEEE80211_MSG_HWMP,
+				    wh, NULL, "%s", "RAN with wrong len");
+				vap->iv_stats.is_rx_mgtdiscard++;
+				return 1;
+			}
 			memcpy(&rann, mrann, sizeof(rann));
 			rann.rann_seq = LE_READ_4(&mrann->rann_seq);
 			rann.rann_metric = LE_READ_4(&mrann->rann_metric);