mac80211: check size of channel switch IE when parsing

The channel switch IE has a fixed size, so we can discard it in parsing if it's not the right size and use the right struct pointer. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Johannes Berg <johannes.berg@intel.com> 2012-08-01 10:13:02 -0400
committer: Johannes Berg <johannes.berg@intel.com> 2012-08-20 07:57:50 -0400
commit: 5bc1420b11903e9f8c470d3b33061b8de0c5c005 (patch)
tree: 5fa942edea59ad047aa58f9d84c6259cd3b4f314 /net
parent: 3049000b97bbfc90aa9ba413eadc4007e5bce2e0 (diff)
3 files changed, 9 insertions, 11 deletions
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index e22aee83ba53..793f03e15191 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1136,7 +1136,7 @@ struct ieee802_11_elems {
        u8 *prep;
        u8 *perr;
        struct ieee80211_rann_ie *rann;
-        u8 *ch_switch_elem;
+        struct ieee80211_channel_sw_ie *ch_switch_ie;
        u8 *country_elem;
        u8 *pwr_constr_elem;
        u8 *quiet_elem; /* first quite element */
@@ -1162,7 +1162,6 @@ struct ieee802_11_elems {
        u8 preq_len;
        u8 prep_len;
        u8 perr_len;
-        u8 ch_switch_elem_len;
        u8 country_elem_len;
        u8 pwr_constr_elem_len;
        u8 quiet_elem_len;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 9e61fe127a33..b9cb8dbe34d9 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2267,14 +2267,10 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
                mutex_unlock(&local->iflist_mtx);
        }
-        if (elems->ch_switch_elem && (elems->ch_switch_elem_len == 3) &&
+        if (elems->ch_switch_ie &&
-            (memcmp(mgmt->bssid, sdata->u.mgd.associated->bssid,
+            memcmp(mgmt->bssid, sdata->u.mgd.associated->bssid, ETH_ALEN) == 0)
-                                                        ETH_ALEN) == 0)) {
+                ieee80211_sta_process_chanswitch(sdata, elems->ch_switch_ie,
-                struct ieee80211_channel_sw_ie *sw_elem =
-                        (struct ieee80211_channel_sw_ie *)elems->ch_switch_elem;
-                ieee80211_sta_process_chanswitch(sdata, sw_elem,
                                                 bss, rx_status->mactime);
-        }
 }
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 99e4258bdb26..7dff94e43a0c 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -768,8 +768,11 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
                                elem_parse_failed = true;
                        break;
                case WLAN_EID_CHANNEL_SWITCH:
-                        elems->ch_switch_elem = pos;
+                        if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
-                        elems->ch_switch_elem_len = elen;
+                                elem_parse_failed = true;
+                                break;
+                        }
+                        elems->ch_switch_ie = (void *)pos;
                        break;
                case WLAN_EID_QUIET:
                        if (!elems->quiet_elem) {
author	Johannes Berg <johannes.berg@intel.com>	2012-08-01 10:13:02 -0400
committer	Johannes Berg <johannes.berg@intel.com>	2012-08-20 07:57:50 -0400
commit	5bc1420b11903e9f8c470d3b33061b8de0c5c005 (patch)
tree	5fa942edea59ad047aa58f9d84c6259cd3b4f314 /net
parent	3049000b97bbfc90aa9ba413eadc4007e5bce2e0 (diff)