mac80211: check DSSS params IE length in parser
authorJohannes Berg <johannes.berg@intel.com>
Wed, 27 Mar 2013 13:30:12 +0000 (14:30 +0100)
committerJohannes Berg <johannes.berg@intel.com>
Mon, 8 Apr 2013 07:16:56 +0000 (09:16 +0200)
It's always just one byte, so check for that and
remove the length field from the parser struct.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/ibss.c
net/mac80211/ieee80211_i.h
net/mac80211/mesh.c
net/mac80211/mlme.c
net/mac80211/util.c

index 5ab32e2a7b568a0c42d1deda5a2c1e18958267f9..2a0b2186d98f39f38d3d2f4475aa2256cf485a9d 100644 (file)
@@ -463,7 +463,7 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
        struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band];
        bool rates_updated = false;
 
-       if (elems->ds_params && elems->ds_params_len == 1)
+       if (elems->ds_params)
                freq = ieee80211_channel_to_frequency(elems->ds_params[0],
                                                      band);
        else
index bb4bfe43bf403ee7472487a075cbf27fe66aad23..eccd1d805ecc7d1d9fac7a91e5b8545cfe27ae78 100644 (file)
@@ -1186,7 +1186,6 @@ struct ieee802_11_elems {
        /* length of them, respectively */
        u8 ssid_len;
        u8 supp_rates_len;
-       u8 ds_params_len;
        u8 tim_len;
        u8 challenge_len;
        u8 rsn_len;
index aead5410c622dd29a43c78bf6acdb021c5e01fbd..0acc2874d2943852efcc8ab835e8b7fe69e63af4 100644 (file)
@@ -907,7 +907,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
            (!elems.rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE))
                return;
 
-       if (elems.ds_params && elems.ds_params_len == 1)
+       if (elems.ds_params)
                freq = ieee80211_channel_to_frequency(elems.ds_params[0], band);
        else
                freq = rx_status->freq;
index e12fedcfa98870929f5ed779e83c933ff3d1d9f0..f76c58fb3bdcfa3d9a74747007492aff6ee97040 100644 (file)
@@ -2695,7 +2695,7 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
                }
        }
 
-       if (elems->ds_params && elems->ds_params_len == 1)
+       if (elems->ds_params)
                freq = ieee80211_channel_to_frequency(elems->ds_params[0],
                                                      rx_status->band);
        else
index 2708b270e944e5027b9e7614dd44f5c4c967f20e..0f7d1c20f8acfd53004e9214f20f1df0630b0f63 100644 (file)
@@ -739,8 +739,10 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
                        elems->supp_rates_len = elen;
                        break;
                case WLAN_EID_DS_PARAMS:
-                       elems->ds_params = pos;
-                       elems->ds_params_len = elen;
+                       if (elen >= 1)
+                               elems->ds_params = pos;
+                       else
+                               elem_parse_failed = true;
                        break;
                case WLAN_EID_TIM:
                        if (elen >= sizeof(struct ieee80211_tim_ie)) {