> Date: Wed, 3 Feb 2016 17:03:46 +0100
> From: Stefan Sperling <[email protected]>
>
> This allows tcpdump to see all control frames with iwn(4).
Hmm, the code below that does look inside the frame. How do we
guarantee it isn't looking at garbage or reading beyond the end of the
buffer?
> Index: if_iwn.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/pci/if_iwn.c,v
> retrieving revision 1.158
> diff -u -p -r1.158 if_iwn.c
> --- if_iwn.c 25 Jan 2016 11:27:11 -0000 1.158
> +++ if_iwn.c 3 Feb 2016 16:01:58 -0000
> @@ -2007,8 +2007,11 @@ iwn_rx_done(struct iwn_softc *sc, struct
> ifp->if_ierrors++;
> return;
> }
> - /* Discard frames that are too short. */
> - if (len < sizeof (*wh)) {
> + /*
> + * Discard frames that are too short, unless in monitor mode where we
> + * receive control frames which are shorter than regular data frames.
> + */
> + if (len < sizeof (*wh) && ic->ic_opmode != IEEE80211_M_MONITOR) {
> DPRINTF(("frame too short: %d\n", len));
> ic->ic_stats.is_rx_tooshort++;
> ifp->if_ierrors++;
>
>
