diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2013-03-27 14:30:12 +0100 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2013-04-08 09:16:56 +0200 |
| commit | 1cd8e88e17729f57a9c7f751103e522596bb5de2 (patch) | |
| tree | c20e4a7bed65480cea84f6a38bb4d0d44dd115f0 | |
| parent | a6dfba841c4d38312115dc6b08d86cc496af7e88 (diff) | |
| download | op-kernel-dev-1cd8e88e17729f57a9c7f751103e522596bb5de2.zip op-kernel-dev-1cd8e88e17729f57a9c7f751103e522596bb5de2.tar.gz | |
mac80211: check DSSS params IE length in parser
It's always just one byte, so check for that and
remove the length field from the parser struct.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| -rw-r--r-- | net/mac80211/ibss.c | 2 | ||||
| -rw-r--r-- | net/mac80211/ieee80211_i.h | 1 | ||||
| -rw-r--r-- | net/mac80211/mesh.c | 2 | ||||
| -rw-r--r-- | net/mac80211/mlme.c | 2 | ||||
| -rw-r--r-- | net/mac80211/util.c | 6 |
5 files changed, 7 insertions, 6 deletions
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c index 5ab32e2..2a0b218 100644 --- a/net/mac80211/ibss.c +++ b/net/mac80211/ibss.c @@ -463,7 +463,7 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata, struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band]; bool rates_updated = false; - if (elems->ds_params && elems->ds_params_len == 1) + if (elems->ds_params) freq = ieee80211_channel_to_frequency(elems->ds_params[0], band); else diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index bb4bfe4..eccd1d8 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1186,7 +1186,6 @@ struct ieee802_11_elems { /* length of them, respectively */ u8 ssid_len; u8 supp_rates_len; - u8 ds_params_len; u8 tim_len; u8 challenge_len; u8 rsn_len; diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index aead541..0acc287 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c @@ -907,7 +907,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata, (!elems.rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE)) return; - if (elems.ds_params && elems.ds_params_len == 1) + if (elems.ds_params) freq = ieee80211_channel_to_frequency(elems.ds_params[0], band); else freq = rx_status->freq; diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index e12fedc..f76c58f 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -2695,7 +2695,7 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata, } } - if (elems->ds_params && elems->ds_params_len == 1) + if (elems->ds_params) freq = ieee80211_channel_to_frequency(elems->ds_params[0], rx_status->band); else diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 2708b27..0f7d1c2 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -739,8 +739,10 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len, elems->supp_rates_len = elen; break; case WLAN_EID_DS_PARAMS: - elems->ds_params = pos; - elems->ds_params_len = elen; + if (elen >= 1) + elems->ds_params = pos; + else + elem_parse_failed = true; break; case WLAN_EID_TIM: if (elen >= sizeof(struct ieee80211_tim_ie)) { |
