mac80211: fix HT information element parsing

There's no checking that the HT IEs are of the right length which can be used by an attacker to cause an out-of-bounds access by sending a too short HT information/capability IE. Fix it by simply pretending those IEs didn't exist when too short. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Johannes Berg <johannes@sipsolutions.net> 2008-10-07 13:31:17 -0400
committer: John W. Linville <linville@tuxdriver.com> 2008-10-14 20:47:15 -0400
commit: 09914813da37f1ee9d77998a0701629cfbbd98f4 (patch)
tree: 6577e7769862378abf62e6867a54b71da1dc12c6 /net/mac80211/ieee80211_i.h
parent: 3eadd751eb8cb8090a65b4fa72c6360fd1aa5f06 (diff)
1 files changed, 2 insertions, 4 deletions
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 8025b294588b..156e42a003ae 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -816,8 +816,8 @@ struct ieee802_11_elems {
        u8 *ext_supp_rates;
        u8 *wmm_info;
        u8 *wmm_param;
-        u8 *ht_cap_elem;
+        struct ieee80211_ht_cap *ht_cap_elem;
-        u8 *ht_info_elem;
+        struct ieee80211_ht_addt_info *ht_info_elem;
        u8 *mesh_config;
        u8 *mesh_id;
        u8 *peer_link;
@@ -844,8 +844,6 @@ struct ieee802_11_elems {
        u8 ext_supp_rates_len;
        u8 wmm_info_len;
        u8 wmm_param_len;
-        u8 ht_cap_elem_len;
-        u8 ht_info_elem_len;
        u8 mesh_config_len;
        u8 mesh_id_len;
        u8 peer_link_len;
author	Johannes Berg <johannes@sipsolutions.net>	2008-10-07 13:31:17 -0400
committer	John W. Linville <linville@tuxdriver.com>	2008-10-14 20:47:15 -0400
commit	09914813da37f1ee9d77998a0701629cfbbd98f4 (patch)
tree	6577e7769862378abf62e6867a54b71da1dc12c6 /net/mac80211/ieee80211_i.h
parent	3eadd751eb8cb8090a65b4fa72c6360fd1aa5f06 (diff)