PERFORCE change 116647 for review

Tue Mar 27 14:21:30 UTC 2007

http://perforce.freebsd.org/chv.cgi?CH=116647

Change 116647 by sephe at sephe_zealot:sam_wifi on 2007/03/27 14:21:05

	Make sure that the size of xrate+rate ie does not exceed the maxium
	that net80211 can support.
	
	Reviewed-by: sam@

Affected files ...

.. //depot/projects/wifi/sys/net80211/ieee80211_input.c#96 edit
.. //depot/projects/wifi/sys/net80211/ieee80211_scan_sta.c#16 edit

Differences ...

==== //depot/projects/wifi/sys/net80211/ieee80211_input.c#96 (text+ko) ====

@@ -2102,6 +2102,10 @@
 			frm += frm[1] + 2;
 		}
 		IEEE80211_VERIFY_ELEMENT(scan.rates, IEEE80211_RATE_MAXSIZE);
+		if (scan.xrates != NULL) {
+			IEEE80211_VERIFY_ELEMENT(scan.xrates,
+				IEEE80211_RATE_MAXSIZE - scan.rates[1]);
+		}
 		IEEE80211_VERIFY_ELEMENT(scan.ssid, IEEE80211_NWID_LEN);
 #if IEEE80211_CHAN_MAX < 255
 		if (scan.chan > IEEE80211_CHAN_MAX) {
@@ -2342,6 +2346,10 @@
 			frm += frm[1] + 2;
 		}
 		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
+		if (xrates != NULL) {
+			IEEE80211_VERIFY_ELEMENT(xrates,
+				IEEE80211_RATE_MAXSIZE - rates[1]);
+		}
 		IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
 		IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
 		if ((ic->ic_flags & IEEE80211_F_HIDESSID) && ssid[1] == 0) {
@@ -2534,6 +2542,10 @@
 			frm += frm[1] + 2;
 		}
 		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
+		if (xrates != NULL) {
+			IEEE80211_VERIFY_ELEMENT(xrates,
+				IEEE80211_RATE_MAXSIZE - rates[1]);
+		}
 		IEEE80211_VERIFY_ELEMENT(ssid, IEEE80211_NWID_LEN);
 		IEEE80211_VERIFY_SSID(ic->ic_bss, ssid);
 
@@ -2778,6 +2790,10 @@
 		}
 
 		IEEE80211_VERIFY_ELEMENT(rates, IEEE80211_RATE_MAXSIZE);
+		if (xrates != NULL) {
+			IEEE80211_VERIFY_ELEMENT(xrates,
+				IEEE80211_RATE_MAXSIZE - rates[1]);
+		}
 		rate = ieee80211_setup_rates(ni, rates, xrates,
 				IEEE80211_F_JOIN |
 				IEEE80211_F_DOSORT | IEEE80211_F_DOFRATE |

==== //depot/projects/wifi/sys/net80211/ieee80211_scan_sta.c#16 (text+ko) ====

@@ -244,7 +244,7 @@
 	memcpy(ise->se_rates, sp->rates, 2+sp->rates[1]);
 	if (sp->xrates != NULL) {
 		/* XXX validate xrates[1] */
-		KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE,
+		KASSERT(sp->xrates[1] + sp->rates[1] <= IEEE80211_RATE_MAXSIZE,
 			("xrate set too large: %u", sp->xrates[1]));
 		memcpy(ise->se_xrates, sp->xrates, 2+sp->xrates[1]);
 	} else
