diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2012-08-01 10:13:02 -0400 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2012-08-20 07:57:50 -0400 |
| commit | 5bc1420b11903e9f8c470d3b33061b8de0c5c005 (patch) | |
| tree | 5fa942edea59ad047aa58f9d84c6259cd3b4f314 /net/mac80211/util.c | |
| parent | 3049000b97bbfc90aa9ba413eadc4007e5bce2e0 (diff) | |
mac80211: check size of channel switch IE when parsing
The channel switch IE has a fixed size, so we can
discard it in parsing if it's not the right size
and use the right struct pointer.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211/util.c')
| -rw-r--r-- | net/mac80211/util.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 99e4258bdb26..7dff94e43a0c 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c | |||
| @@ -768,8 +768,11 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len, | |||
| 768 | elem_parse_failed = true; | 768 | elem_parse_failed = true; |
| 769 | break; | 769 | break; |
| 770 | case WLAN_EID_CHANNEL_SWITCH: | 770 | case WLAN_EID_CHANNEL_SWITCH: |
| 771 | elems->ch_switch_elem = pos; | 771 | if (elen != sizeof(struct ieee80211_channel_sw_ie)) { |
| 772 | elems->ch_switch_elem_len = elen; | 772 | elem_parse_failed = true; |
| 773 | break; | ||
| 774 | } | ||
| 775 | elems->ch_switch_ie = (void *)pos; | ||
| 773 | break; | 776 | break; |
| 774 | case WLAN_EID_QUIET: | 777 | case WLAN_EID_QUIET: |
| 775 | if (!elems->quiet_elem) { | 778 | if (!elems->quiet_elem) { |