diff options
author | sam <sam@FreeBSD.org> | 2006-01-23 19:31:00 +0000 |
---|---|---|
committer | sam <sam@FreeBSD.org> | 2006-01-23 19:31:00 +0000 |
commit | 1e87b34be9783963c61ba7f98d72c79c7f7de0e3 (patch) | |
tree | 3c882ea6de1280296604bae519d321b689bbef3e /sys/net80211/ieee80211_input.c | |
parent | 18ba9270dcecbe786471c3cbc40adcb03ff9a786 (diff) | |
download | FreeBSD-src-1e87b34be9783963c61ba7f98d72c79c7f7de0e3.zip FreeBSD-src-1e87b34be9783963c61ba7f98d72c79c7f7de0e3.tar.gz |
bounds check each ie's length when parsing
Obtained from: madwifi
MFC after: 1 week
Diffstat (limited to 'sys/net80211/ieee80211_input.c')
-rw-r--r-- | sys/net80211/ieee80211_input.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c index 5e3b2f7..69738ab 100644 --- a/sys/net80211/ieee80211_input.c +++ b/sys/net80211/ieee80211_input.c @@ -1769,6 +1769,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, scan.chan = scan.bchan; while (frm < efrm) { + IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]); switch (*frm) { case IEEE80211_ELEMID_SSID: scan.ssid = frm; @@ -2001,6 +2002,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, */ ssid = rates = xrates = NULL; while (frm < efrm) { + IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]); switch (*frm) { case IEEE80211_ELEMID_SSID: ssid = frm; @@ -2177,6 +2179,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, frm += 6; /* ignore current AP info */ ssid = rates = xrates = wpa = wme = NULL; while (frm < efrm) { + IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]); switch (*frm) { case IEEE80211_ELEMID_SSID: ssid = frm; @@ -2381,6 +2384,7 @@ ieee80211_recv_mgmt(struct ieee80211com *ic, struct mbuf *m0, rates = xrates = wpa = wme = NULL; while (frm < efrm) { + IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1]); switch (*frm) { case IEEE80211_ELEMID_RATES: rates = frm; |