[src/trunk]: src/sys/net80211 Style, and make sure that there is a header+tra...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/bfc9b9a41ec8
branches:  trunk
changeset: 358836:bfc9b9a41ec8
user:      maxv <maxv%NetBSD.org@localhost>
date:      Fri Jan 19 07:52:37 2018 +0000

description:
Style, and make sure that there is a header+trailer included in the
packet. The crypto functions can touch the trailer, but they don't check
whether it's there in the first place.

diffstat:

 sys/net80211/ieee80211_crypto.c |  28 ++++++++++++++++++++++------
 1 files changed, 22 insertions(+), 6 deletions(-)

diffs (76 lines):

diff -r e57138958c29 -r bfc9b9a41ec8 sys/net80211/ieee80211_crypto.c
--- a/sys/net80211/ieee80211_crypto.c   Fri Jan 19 05:19:29 2018 +0000
+++ b/sys/net80211/ieee80211_crypto.c   Fri Jan 19 07:52:37 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ieee80211_crypto.c,v 1.20 2018/01/17 17:41:38 maxv Exp $       */
+/*     $NetBSD: ieee80211_crypto.c,v 1.21 2018/01/19 07:52:37 maxv Exp $       */
 
 /*
  * Copyright (c) 2001 Atsushi Onoe
@@ -37,7 +37,7 @@
 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_crypto.c,v 1.12 2005/08/08 18:46:35 sam Exp $");
 #endif
 #ifdef __NetBSD__
-__KERNEL_RCSID(0, "$NetBSD: ieee80211_crypto.c,v 1.20 2018/01/17 17:41:38 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ieee80211_crypto.c,v 1.21 2018/01/19 07:52:37 maxv Exp $");
 #endif
 
 #ifdef _KERNEL_OPT
@@ -48,7 +48,7 @@
  * IEEE 802.11 generic crypto support.
  */
 #include <sys/param.h>
-#include <sys/mbuf.h>   
+#include <sys/mbuf.h>
 
 #include <sys/socket.h>
 #include <sys/sockio.h>
@@ -72,7 +72,7 @@
 static const struct ieee80211_cipher *ciphers[IEEE80211_CIPHER_MAX];
 
 #ifdef INET
-#include <netinet/in.h> 
+#include <netinet/in.h>
 #include <net/if_ether.h>
 #endif
 
@@ -136,7 +136,7 @@
        key->wk_cipher->ic_detach(key);
 }
 
-/* 
+/*
  * Wrappers for driver key management methods.
  */
 static __inline int
@@ -605,7 +605,12 @@
        struct mbuf *m = *mp;
        u_int8_t keyid;
 
-       /* NB: this minimum size data frame could be bigger */
+       KASSERT((m->m_flags & M_PKTHDR) != 0);
+
+       /*
+        * This minimum size data frame could be bigger. It is re-checked
+        * below.
+        */
        if (m->m_pkthdr.len < IEEE80211_WEP_MINLEN) {
                IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
                        "%s: WEP data frame too short, len %u\n",
@@ -646,5 +651,16 @@
                return NULL;
        }
 
+       /*
+        * Ensure there is a header+trailer included.
+        */
+       if (m->m_pkthdr.len < hdrlen + cip->ic_header + cip->ic_trailer) {
+               IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
+                       "%s: WEP data frame too short, len %u\n",
+                       __func__, m->m_pkthdr.len);
+               ic->ic_stats.is_rx_tooshort++;
+               return NULL;
+       }
+
        return (cip->ic_decap(k, m, hdrlen) ? k : NULL);
 }