aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2008-10-07 13:31:17 -0400
committerJohn W. Linville <linville@tuxdriver.com>2008-10-14 20:47:15 -0400
commit09914813da37f1ee9d77998a0701629cfbbd98f4 (patch)
tree6577e7769862378abf62e6867a54b71da1dc12c6
parent3eadd751eb8cb8090a65b4fa72c6360fd1aa5f06 (diff)
mac80211: fix HT information element parsing
There's no checking that the HT IEs are of the right length which can be used by an attacker to cause an out-of-bounds access by sending a too short HT information/capability IE. Fix it by simply pretending those IEs didn't exist when too short. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/mac80211/ieee80211_i.h6
-rw-r--r--net/mac80211/mlme.c3
-rw-r--r--net/mac80211/util.c8
3 files changed, 6 insertions, 11 deletions
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 8025b294588b..156e42a003ae 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -816,8 +816,8 @@ struct ieee802_11_elems {
816 u8 *ext_supp_rates; 816 u8 *ext_supp_rates;
817 u8 *wmm_info; 817 u8 *wmm_info;
818 u8 *wmm_param; 818 u8 *wmm_param;
819 u8 *ht_cap_elem; 819 struct ieee80211_ht_cap *ht_cap_elem;
820 u8 *ht_info_elem; 820 struct ieee80211_ht_addt_info *ht_info_elem;
821 u8 *mesh_config; 821 u8 *mesh_config;
822 u8 *mesh_id; 822 u8 *mesh_id;
823 u8 *peer_link; 823 u8 *peer_link;
@@ -844,8 +844,6 @@ struct ieee802_11_elems {
844 u8 ext_supp_rates_len; 844 u8 ext_supp_rates_len;
845 u8 wmm_info_len; 845 u8 wmm_info_len;
846 u8 wmm_param_len; 846 u8 wmm_param_len;
847 u8 ht_cap_elem_len;
848 u8 ht_info_elem_len;
849 u8 mesh_config_len; 847 u8 mesh_config_len;
850 u8 mesh_id_len; 848 u8 mesh_id_len;
851 u8 peer_link_len; 849 u8 peer_link_len;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 49f86fa56bff..87665d7bb4f9 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1348,10 +1348,8 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
1348 (ifsta->flags & IEEE80211_STA_WMM_ENABLED)) { 1348 (ifsta->flags & IEEE80211_STA_WMM_ENABLED)) {
1349 struct ieee80211_ht_bss_info bss_info; 1349 struct ieee80211_ht_bss_info bss_info;
1350 ieee80211_ht_cap_ie_to_ht_info( 1350 ieee80211_ht_cap_ie_to_ht_info(
1351 (struct ieee80211_ht_cap *)
1352 elems.ht_cap_elem, &sta->sta.ht_info); 1351 elems.ht_cap_elem, &sta->sta.ht_info);
1353 ieee80211_ht_addt_info_ie_to_ht_bss_info( 1352 ieee80211_ht_addt_info_ie_to_ht_bss_info(
1354 (struct ieee80211_ht_addt_info *)
1355 elems.ht_info_elem, &bss_info); 1353 elems.ht_info_elem, &bss_info);
1356 ieee80211_handle_ht(local, 1, &sta->sta.ht_info, &bss_info); 1354 ieee80211_handle_ht(local, 1, &sta->sta.ht_info, &bss_info);
1357 } 1355 }
@@ -1709,7 +1707,6 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
1709 struct ieee80211_ht_bss_info bss_info; 1707 struct ieee80211_ht_bss_info bss_info;
1710 1708
1711 ieee80211_ht_addt_info_ie_to_ht_bss_info( 1709 ieee80211_ht_addt_info_ie_to_ht_bss_info(
1712 (struct ieee80211_ht_addt_info *)
1713 elems.ht_info_elem, &bss_info); 1710 elems.ht_info_elem, &bss_info);
1714 changed |= ieee80211_handle_ht(local, 1, &conf->ht_conf, 1711 changed |= ieee80211_handle_ht(local, 1, &conf->ht_conf,
1715 &bss_info); 1712 &bss_info);
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index f32561ec224c..cee4884b9d06 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -529,12 +529,12 @@ void ieee802_11_parse_elems(u8 *start, size_t len,
529 elems->ext_supp_rates_len = elen; 529 elems->ext_supp_rates_len = elen;
530 break; 530 break;
531 case WLAN_EID_HT_CAPABILITY: 531 case WLAN_EID_HT_CAPABILITY:
532 elems->ht_cap_elem = pos; 532 if (elen >= sizeof(struct ieee80211_ht_cap))
533 elems->ht_cap_elem_len = elen; 533 elems->ht_cap_elem = (void *)pos;
534 break; 534 break;
535 case WLAN_EID_HT_EXTRA_INFO: 535 case WLAN_EID_HT_EXTRA_INFO:
536 elems->ht_info_elem = pos; 536 if (elen >= sizeof(struct ieee80211_ht_addt_info))
537 elems->ht_info_elem_len = elen; 537 elems->ht_info_elem = (void *)pos;
538 break; 538 break;
539 case WLAN_EID_MESH_ID: 539 case WLAN_EID_MESH_ID:
540 elems->mesh_id = pos; 540 elems->mesh_id = pos;