From e48f66942d45152bc372aac71f1fcd80353fcd37 Mon Sep 17 00:00:00 2001
From: rofl0r <retnyg@gmx.net>
Date: Sun, 28 Apr 2019 03:30:20 +0100
Subject: [PATCH] fix arbitrary restriction to inject only packets with length
 12 radiotap hdr

---
 core/rtw_xmit.c               | 15 +++++++++------
 os_dep/linux/ioctl_cfg80211.c |  5 -----
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/core/rtw_xmit.c b/core/rtw_xmit.c
index 6e4174b..033032e 100644
--- a/core/rtw_xmit.c
+++ b/core/rtw_xmit.c
@@ -4355,7 +4355,7 @@ s32 rtw_monitor_xmit_entry(struct sk_buff *skb, struct net_device *ndev)
 	struct xmit_priv	*pxmitpriv = &(padapter->xmitpriv);
 	unsigned char	*pframe;
 	u8 dummybuf[32];
-	int len = skb->len, rtap_len;
+	int len = skb->len, rtap_len, consume;
 
 	if (skb)
 		rtw_mstat_update(MSTAT_TYPE_SKB, MSTAT_ALLOC_SUCCESS, skb->truesize);
@@ -4372,12 +4372,15 @@ s32 rtw_monitor_xmit_entry(struct sk_buff *skb, struct net_device *ndev)
 	if (unlikely(skb->len < rtap_len))
 		goto fail;
 
-	if (rtap_len != 12) {
-		RTW_INFO("radiotap len (should be 14): %d\n", rtap_len);
-		goto fail;
+	len -= sizeof(struct ieee80211_radiotap_header);
+	rtap_len -= sizeof(struct ieee80211_radiotap_header);
+
+	while(rtap_len) {
+		consume = rtap_len > sizeof(dummybuf) ? sizeof(dummybuf) : rtap_len;
+		_rtw_pktfile_read(&pktfile, dummybuf, consume);
+		rtap_len -= consume;
+		len -= consume;
 	}
-	_rtw_pktfile_read(&pktfile, dummybuf, rtap_len-sizeof(struct ieee80211_radiotap_header));
-	len = len - rtap_len;
 
 	pmgntframe = alloc_mgtxmitframe(pxmitpriv);
 	if (pmgntframe == NULL) {
diff --git a/os_dep/linux/ioctl_cfg80211.c b/os_dep/linux/ioctl_cfg80211.c
index 609f9c6..a70bc71 100644
--- a/os_dep/linux/ioctl_cfg80211.c
+++ b/os_dep/linux/ioctl_cfg80211.c
@@ -4286,11 +4286,6 @@ static int rtw_cfg80211_monitor_if_xmit_entry(struct sk_buff *skb, struct net_de
 	if (unlikely(skb->len < rtap_len))
 		goto fail;
 
-	if (rtap_len != 14) {
-		RTW_INFO("radiotap len (should be 14): %d\n", rtap_len);
-		goto fail;
-	}
-
 	/* Skip the ratio tap header */
 	skb_pull(skb, rtap_len);