mac80211: Fix invalid length passed to IE parser for PLINK CONFIRM frames

[pandora-kernel.git] / net / mac80211 / mesh_plink.c

diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index a8bbdec..ffcbad7 100644 (file)
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -266,6 +266,11 @@ static void mesh_plink_timer(unsigned long data)
         */
        sta = (struct sta_info *) data;
 
+       if (sta->sdata->local->quiescing) {
+               sta->plink_timer_was_running = true;
+               return;
+       }
+
        spin_lock_bh(&sta->lock);
        if (sta->ignore_plink_timer) {
                sta->ignore_plink_timer = false;
@@ -322,6 +327,22 @@ static void mesh_plink_timer(unsigned long data)
        }
 }
 
+#ifdef CONFIG_PM
+void mesh_plink_quiesce(struct sta_info *sta)
+{
+       if (del_timer_sync(&sta->plink_timer))
+               sta->plink_timer_was_running = true;
+}
+
+void mesh_plink_restart(struct sta_info *sta)
+{
+       if (sta->plink_timer_was_running) {
+               add_timer(&sta->plink_timer);
+               sta->plink_timer_was_running = false;
+       }
+}
+#endif
+
 static inline void mesh_plink_timer_set(struct sta_info *sta, int timeout)
 {
        sta->plink_timer.expires = jiffies + (HZ * timeout / 1000);
@@ -388,7 +409,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
        baselen = (u8 *) mgmt->u.action.u.plink_action.variable - (u8 *) mgmt;
        if (mgmt->u.action.u.plink_action.action_code == PLINK_CONFIRM) {
                baseaddr += 4;
-               baselen -= 4;
+               baselen += 4;
        }
        ieee802_11_parse_elems(baseaddr, len - baselen, &elems);
        if (!elems.peer_link) {