diff options
| author | Bob Copeland <me@bobcopeland.com> | 2014-04-15 10:43:07 -0400 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2014-04-22 11:24:49 -0400 |
| commit | a40a8c17b22ea0ce6d54c04a2e77630768691338 (patch) | |
| tree | c146ae7436f4ba1676b5b5515ad6371b6503f52d | |
| parent | aee6499c8c6d0d1bc75cbae51f89c4d35a5aaa1f (diff) | |
mac80211: fix mesh_add_rsn_ie IE finding loop
Previously, the code to copy the RSN IE from the mesh config
would increment its pointer by one in the loop instead of by
the element length, so there was the potential for mistaking
another IE's data fields as the RSN IE.
cfg80211_find_ie() exists, so just use that.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| -rw-r--r-- | net/mac80211/mesh.c | 21 |
1 files changed, 8 insertions, 13 deletions
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index 9d292377d3a6..b06ddc9519ce 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c | |||
| @@ -366,20 +366,15 @@ int mesh_add_rsn_ie(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb) | |||
| 366 | return 0; | 366 | return 0; |
| 367 | 367 | ||
| 368 | /* find RSN IE */ | 368 | /* find RSN IE */ |
| 369 | data = ifmsh->ie; | 369 | data = cfg80211_find_ie(WLAN_EID_RSN, ifmsh->ie, ifmsh->ie_len); |
| 370 | while (data < ifmsh->ie + ifmsh->ie_len) { | 370 | if (!data) |
| 371 | if (*data == WLAN_EID_RSN) { | 371 | return 0; |
| 372 | len = data[1] + 2; | ||
| 373 | break; | ||
| 374 | } | ||
| 375 | data++; | ||
| 376 | } | ||
| 377 | 372 | ||
| 378 | if (len) { | 373 | len = data[1] + 2; |
| 379 | if (skb_tailroom(skb) < len) | 374 | |
| 380 | return -ENOMEM; | 375 | if (skb_tailroom(skb) < len) |
| 381 | memcpy(skb_put(skb, len), data, len); | 376 | return -ENOMEM; |
| 382 | } | 377 | memcpy(skb_put(skb, len), data, len); |
| 383 | 378 | ||
| 384 | return 0; | 379 | return 0; |
| 385 | } | 380 | } |