mac80211: add missing sanity checks for action frames
authorFelix Fietkau <nbd@openwrt.org>
Thu, 7 Jan 2010 19:23:53 +0000 (20:23 +0100)
committerJohn W. Linville <linville@tuxdriver.com>
Fri, 8 Jan 2010 20:49:28 +0000 (15:49 -0500)
Various missing sanity checks caused rejected action frames to be
interpreted as channel switch announcements, which can cause a client
mode interface to switch away from its operating channel, thereby losing
connectivity. This patch ensures that only spectrum management action
frames are processed by the CSA handling function and prevents rejected
action frames from getting processed by the MLME code.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/mac80211/mlme.c
net/mac80211/rx.c

index 3e1eab963b8e55a73c17c566bf909e0eb6e21c89..05a18f43e1bf73fd34f029b1e35aa0a0193f7162 100644 (file)
@@ -1963,7 +1963,9 @@ static void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
                        rma = ieee80211_rx_mgmt_disassoc(sdata, mgmt, skb->len);
                        break;
                case IEEE80211_STYPE_ACTION:
-                       /* XXX: differentiate, can only happen for CSA now! */
+                       if (mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
+                               break;
+
                        ieee80211_sta_process_chanswitch(sdata,
                                        &mgmt->u.action.u.chan_switch.sw_elem,
                                        ifmgd->associated);
index 54296999834b98a4ef7f2aa3d20e3b5965f00080..82a30c1bf3abf6c2874b9aff0088bf250e4a8f64 100644 (file)
@@ -2015,6 +2015,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                }
                break;
        default:
+               /* do not process rejected action frames */
+               if (mgmt->u.action.category & 0x80)
+                       return RX_DROP_MONITOR;
+
                return RX_CONTINUE;
        }