sim1222/rtl8188eus
1
0
Fork 0
mirror of https://github.com/drygdryg/rtl8188eus.git synced 2025-04-29 02:37:16 +09:00
Code Issues Projects Releases Wiki Activity

fix arbitrary restriction to inject only packets with length 12 radiotap hdr

Browse Source
This commit is contained in:
rofl0r 2019-04-28 03:30:20 +01:00
parent ac49179314
commit e48f66942d
2 changed files with 9 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
core/rtw_xmit.c
View File

@ -4355,7 +4355,7 @@ s32 rtw_monitor_xmit_entry(struct sk_buff *skb, struct net_device *ndev)
struct xmit_priv *pxmitpriv = &(padapter->xmitpriv);
unsigned char *pframe;
u8 dummybuf[32];
int len = skb->len, rtap_len;
int len = skb->len, rtap_len, consume;
if (skb)
rtw_mstat_update(MSTAT_TYPE_SKB, MSTAT_ALLOC_SUCCESS, skb->truesize);
@ -4372,12 +4372,15 @@ s32 rtw_monitor_xmit_entry(struct sk_buff *skb, struct net_device *ndev)
if (unlikely(skb->len < rtap_len))
goto fail;
if (rtap_len != 12) {
RTW_INFO("radiotap len (should be 14): %d\n", rtap_len);
goto fail;
len -= sizeof(struct ieee80211_radiotap_header);
rtap_len -= sizeof(struct ieee80211_radiotap_header);
while(rtap_len) {
consume = rtap_len > sizeof(dummybuf) ? sizeof(dummybuf) : rtap_len;
_rtw_pktfile_read(&pktfile, dummybuf, consume);
rtap_len -= consume;
len -= consume;
}
_rtw_pktfile_read(&pktfile, dummybuf, rtap_len-sizeof(struct ieee80211_radiotap_header));
len = len - rtap_len;
pmgntframe = alloc_mgtxmitframe(pxmitpriv);
if (pmgntframe == NULL) {

5
os_dep/linux/ioctl_cfg80211.c
View File

@ -4286,11 +4286,6 @@ static int rtw_cfg80211_monitor_if_xmit_entry(struct sk_buff *skb, struct net_de
if (unlikely(skb->len < rtap_len))
goto fail;
if (rtap_len != 14) {
RTW_INFO("radiotap len (should be 14): %d\n", rtap_len);
goto fail;
}
/* Skip the ratio tap header */
skb_pull(skb, rtap_len);