mac80211: Fix invalid length passed to IE parser for PLINK CONFIRM frames

The length of the fixed portion of plink confirm frames is 4 bytes longer than
the other plink_action frames.  This path corrects an error in the length
adjustment done for these type of frames.

Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index cb14253..ffcbad7 100644 (file)
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -409,7 +409,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
        baselen = (u8 *) mgmt->u.action.u.plink_action.variable - (u8 *) mgmt;
        if (mgmt->u.action.u.plink_action.action_code == PLINK_CONFIRM) {
                baseaddr += 4;
-               baselen -= 4;
+               baselen += 4;
        }
        ieee802_11_parse_elems(baseaddr, len - baselen, &elems);
        if (!elems.peer_link) {