diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2009-04-16 18:54:23 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-04-17 15:27:13 -0400 |
commit | 60375541f7c8a577b977d344565259776c3acfc1 (patch) | |
tree | 89be78d18bcc64af22599268e8698d39e87f9192 /net/mac80211 | |
parent | cd1658f592a60d028dd2e48d86724b737a82cab0 (diff) |
mac80211: validate TIM IE length
The TIM IE must not be shorter than 4 bytes, so verify that
when parsing it.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r-- | net/mac80211/mlme.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index dc60804d6dd0..1619e0cd26e2 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c | |||
@@ -441,6 +441,9 @@ static bool ieee80211_check_tim(struct ieee802_11_elems *elems, u16 aid) | |||
441 | u8 index, indexn1, indexn2; | 441 | u8 index, indexn1, indexn2; |
442 | struct ieee80211_tim_ie *tim = (struct ieee80211_tim_ie *) elems->tim; | 442 | struct ieee80211_tim_ie *tim = (struct ieee80211_tim_ie *) elems->tim; |
443 | 443 | ||
444 | if (unlikely(!tim || elems->tim_len < 4)) | ||
445 | return false; | ||
446 | |||
444 | aid &= 0x3fff; | 447 | aid &= 0x3fff; |
445 | index = aid / 8; | 448 | index = aid / 8; |
446 | mask = 1 << (aid & 7); | 449 | mask = 1 << (aid & 7); |