diff options
Diffstat (limited to 'net/wireless')
| -rw-r--r-- | net/wireless/scan.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index b7a167984986..d0fc6da2d097 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c | |||
| @@ -365,14 +365,18 @@ const u8 *cfg80211_find_vendor_ie(unsigned int oui, u8 oui_type, | |||
| 365 | if (!pos) | 365 | if (!pos) |
| 366 | return NULL; | 366 | return NULL; |
| 367 | 367 | ||
| 368 | if (end - pos < sizeof(*ie)) | ||
| 369 | return NULL; | ||
| 370 | |||
| 371 | ie = (struct ieee80211_vendor_ie *)pos; | 368 | ie = (struct ieee80211_vendor_ie *)pos; |
| 369 | |||
| 370 | /* make sure we can access ie->len */ | ||
| 371 | BUILD_BUG_ON(offsetof(struct ieee80211_vendor_ie, len) != 1); | ||
| 372 | |||
| 373 | if (ie->len < sizeof(*ie)) | ||
| 374 | goto cont; | ||
| 375 | |||
| 372 | ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2]; | 376 | ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2]; |
| 373 | if (ie_oui == oui && ie->oui_type == oui_type) | 377 | if (ie_oui == oui && ie->oui_type == oui_type) |
| 374 | return pos; | 378 | return pos; |
| 375 | 379 | cont: | |
| 376 | pos += 2 + ie->len; | 380 | pos += 2 + ie->len; |
| 377 | } | 381 | } |
| 378 | return NULL; | 382 | return NULL; |