diff options
| author |   Johannes Berg <johannes@sipsolutions.net> | 2008-10-07 19:31:17 +0200 |
|---|---|---|
| committer |   John W. Linville <linville@tuxdriver.com> | 2008-10-14 20:47:15 -0400 |
| commit | 09914813da37f1ee9d77998a0701629cfbbd98f4 (patch) | |
| tree | 6577e7769862378abf62e6867a54b71da1dc12c6 /net/mac80211/util.c | |
| parent | p54: Fix compilation problem on PPC (diff) | |
| download | linux-dev-09914813da37f1ee9d77998a0701629cfbbd98f4.tar.xz linux-dev-09914813da37f1ee9d77998a0701629cfbbd98f4.zip | |
mac80211: fix HT information element parsing
There's no checking that the HT IEs are of the right length
which can be used by an attacker to cause an out-of-bounds
access by sending a too short HT information/capability IE.
Fix it by simply pretending those IEs didn't exist when too
short.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211/util.c')
| -rw-r--r-- | net/mac80211/util.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index f32561ec224c..cee4884b9d06 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -529,12 +529,12 @@ void ieee802_11_parse_elems(u8 *start, size_t len, elems->ext_supp_rates_len = elen; break; case WLAN_EID_HT_CAPABILITY: - elems->ht_cap_elem = pos; - elems->ht_cap_elem_len = elen; + if (elen >= sizeof(struct ieee80211_ht_cap)) + elems->ht_cap_elem = (void *)pos; break; case WLAN_EID_HT_EXTRA_INFO: - elems->ht_info_elem = pos; - elems->ht_info_elem_len = elen; + if (elen >= sizeof(struct ieee80211_ht_addt_info)) + elems->ht_info_elem = (void *)pos; break; case WLAN_EID_MESH_ID: elems->mesh_id = pos; |