diff options
| author | Johannes Berg <johannes@sipsolutions.net> | 2008-10-07 19:31:17 +0200 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2008-10-14 20:47:15 -0400 |
| commit | 09914813da37f1ee9d77998a0701629cfbbd98f4 (patch) | |
| tree | 6577e7769862378abf62e6867a54b71da1dc12c6 /net/mac80211/util.c | |
| parent | 3eadd751eb8cb8090a65b4fa72c6360fd1aa5f06 (diff) | |
| download | op-kernel-dev-09914813da37f1ee9d77998a0701629cfbbd98f4.zip op-kernel-dev-09914813da37f1ee9d77998a0701629cfbbd98f4.tar.gz | |
mac80211: fix HT information element parsing
There's no checking that the HT IEs are of the right length
which can be used by an attacker to cause an out-of-bounds
access by sending a too short HT information/capability IE.
Fix it by simply pretending those IEs didn't exist when too
short.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211/util.c')
| -rw-r--r-- | net/mac80211/util.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index f32561e..cee4884 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -529,12 +529,12 @@ void ieee802_11_parse_elems(u8 *start, size_t len, elems->ext_supp_rates_len = elen; break; case WLAN_EID_HT_CAPABILITY: - elems->ht_cap_elem = pos; - elems->ht_cap_elem_len = elen; + if (elen >= sizeof(struct ieee80211_ht_cap)) + elems->ht_cap_elem = (void *)pos; break; case WLAN_EID_HT_EXTRA_INFO: - elems->ht_info_elem = pos; - elems->ht_info_elem_len = elen; + if (elen >= sizeof(struct ieee80211_ht_addt_info)) + elems->ht_info_elem = (void *)pos; break; case WLAN_EID_MESH_ID: elems->mesh_id = pos; |
