aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuis Carlos Cobo <luisca@cozybit.com>2008-03-31 19:00:13 -0400
committerJohn W. Linville <linville@tuxdriver.com>2008-04-01 17:14:12 -0400
commit05e5e88373d91c75e9262a3f984be511960e510d (patch)
treede4e719001ae3e07a2d64b71445712f79eacd959
parent966a54282257ce1c43a5410dab2f2778a6f4dcf9 (diff)
mac80211: check for mesh_config length on incoming management frames
Signed-off-by: Luis Carlos Cobo <luisca@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/mac80211/ieee80211_sta.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/net/mac80211/ieee80211_sta.c b/net/mac80211/ieee80211_sta.c
index 152682d4bb1a..927ffbfe8582 100644
--- a/net/mac80211/ieee80211_sta.c
+++ b/net/mac80211/ieee80211_sta.c
@@ -2150,11 +2150,14 @@ ieee80211_rx_mesh_bss_get(struct net_device *dev, u8 *mesh_id, int mesh_id_len,
2150 2150
2151static struct ieee80211_sta_bss * 2151static struct ieee80211_sta_bss *
2152ieee80211_rx_mesh_bss_add(struct net_device *dev, u8 *mesh_id, int mesh_id_len, 2152ieee80211_rx_mesh_bss_add(struct net_device *dev, u8 *mesh_id, int mesh_id_len,
2153 u8 *mesh_cfg, int freq) 2153 u8 *mesh_cfg, int mesh_config_len, int freq)
2154{ 2154{
2155 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 2155 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
2156 struct ieee80211_sta_bss *bss; 2156 struct ieee80211_sta_bss *bss;
2157 2157
2158 if (mesh_config_len != MESH_CFG_LEN)
2159 return NULL;
2160
2158 bss = kzalloc(sizeof(*bss), GFP_ATOMIC); 2161 bss = kzalloc(sizeof(*bss), GFP_ATOMIC);
2159 if (!bss) 2162 if (!bss)
2160 return NULL; 2163 return NULL;
@@ -2528,7 +2531,8 @@ static void ieee80211_rx_bss_info(struct net_device *dev,
2528#ifdef CONFIG_MAC80211_MESH 2531#ifdef CONFIG_MAC80211_MESH
2529 if (elems.mesh_config) 2532 if (elems.mesh_config)
2530 bss = ieee80211_rx_mesh_bss_add(dev, elems.mesh_id, 2533 bss = ieee80211_rx_mesh_bss_add(dev, elems.mesh_id,
2531 elems.mesh_id_len, elems.mesh_config, freq); 2534 elems.mesh_id_len, elems.mesh_config,
2535 elems.mesh_config_len, freq);
2532 else 2536 else
2533#endif 2537#endif
2534 bss = ieee80211_rx_bss_add(dev, mgmt->bssid, freq, 2538 bss = ieee80211_rx_bss_add(dev, mgmt->bssid, freq,