|
|
@@ -888,14 +888,16 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
|
|
|
*/
|
|
|
if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
|
|
|
ieee80211_is_data_present(hdr->frame_control)) {
|
|
|
- u16 ethertype;
|
|
|
- u8 *payload;
|
|
|
-
|
|
|
- payload = rx->skb->data +
|
|
|
- ieee80211_hdrlen(hdr->frame_control);
|
|
|
- ethertype = (payload[6] << 8) | payload[7];
|
|
|
- if (cpu_to_be16(ethertype) ==
|
|
|
- rx->sdata->control_port_protocol)
|
|
|
+ unsigned int hdrlen;
|
|
|
+ __be16 ethertype;
|
|
|
+
|
|
|
+ hdrlen = ieee80211_hdrlen(hdr->frame_control);
|
|
|
+
|
|
|
+ if (rx->skb->len < hdrlen + 8)
|
|
|
+ return RX_DROP_MONITOR;
|
|
|
+
|
|
|
+ skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2);
|
|
|
+ if (ethertype == rx->sdata->control_port_protocol)
|
|
|
return RX_CONTINUE;
|
|
|
}
|
|
|
|
Johannes Berg