From: David Woo <xinhua_wu@realsil.com.cn>
Date: Wed, 12 Aug 2009 18:03:44 +0000 (-0700)
Subject: mac80211: Fix invalid length passed to IE parser for PLINK CONFIRM frames
X-Git-Tag: firefly_0821_release~12983^2~367^2~8
X-Git-Url: http://plrg.eecs.uci.edu/git/?a=commitdiff_plain;h=70bdb6b275d789ddf05c3a858e6b57715539394b;p=firefly-linux-kernel-4.4.55.git

mac80211: Fix invalid length passed to IE parser for PLINK CONFIRM frames

The length of the fixed portion of plink confirm frames is 4 bytes longer than
the other plink_action frames.  This path corrects an error in the length
adjustment done for these type of frames.

Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---

diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index cb14253587f1..ffcbad75e09b 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -409,7 +409,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
 	baselen = (u8 *) mgmt->u.action.u.plink_action.variable - (u8 *) mgmt;
 	if (mgmt->u.action.u.plink_action.action_code == PLINK_CONFIRM) {
 		baseaddr += 4;
-		baselen -= 4;
+		baselen += 4;
 	}
 	ieee802_11_parse_elems(baseaddr, len - baselen, &elems);
 	if (!elems.peer_link) {