diff options
| author | Johannes Berg <johannes@sipsolutions.net> | 2008-10-07 13:31:17 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2008-10-14 20:47:15 -0400 |
| commit | 09914813da37f1ee9d77998a0701629cfbbd98f4 (patch) | |
| tree | 6577e7769862378abf62e6867a54b71da1dc12c6 /net/mac80211/util.c | |
| parent | 3eadd751eb8cb8090a65b4fa72c6360fd1aa5f06 (diff) | |
mac80211: fix HT information element parsing
There's no checking that the HT IEs are of the right length
which can be used by an attacker to cause an out-of-bounds
access by sending a too short HT information/capability IE.
Fix it by simply pretending those IEs didn't exist when too
short.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211/util.c')
| -rw-r--r-- | net/mac80211/util.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index f32561ec224c..cee4884b9d06 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c | |||
| @@ -529,12 +529,12 @@ void ieee802_11_parse_elems(u8 *start, size_t len, | |||
| 529 | elems->ext_supp_rates_len = elen; | 529 | elems->ext_supp_rates_len = elen; |
| 530 | break; | 530 | break; |
| 531 | case WLAN_EID_HT_CAPABILITY: | 531 | case WLAN_EID_HT_CAPABILITY: |
| 532 | elems->ht_cap_elem = pos; | 532 | if (elen >= sizeof(struct ieee80211_ht_cap)) |
| 533 | elems->ht_cap_elem_len = elen; | 533 | elems->ht_cap_elem = (void *)pos; |
| 534 | break; | 534 | break; |
| 535 | case WLAN_EID_HT_EXTRA_INFO: | 535 | case WLAN_EID_HT_EXTRA_INFO: |
| 536 | elems->ht_info_elem = pos; | 536 | if (elen >= sizeof(struct ieee80211_ht_addt_info)) |
| 537 | elems->ht_info_elem_len = elen; | 537 | elems->ht_info_elem = (void *)pos; |
| 538 | break; | 538 | break; |
| 539 | case WLAN_EID_MESH_ID: | 539 | case WLAN_EID_MESH_ID: |
| 540 | elems->mesh_id = pos; | 540 | elems->mesh_id = pos; |