Commit 05e5e883 authored by Luis Carlos Cobo's avatar Luis Carlos Cobo Committed by John W. Linville

mac80211: check for mesh_config length on incoming management frames

Signed-off-by: default avatarLuis Carlos Cobo <luisca@cozybit.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 966a5428
...@@ -2150,11 +2150,14 @@ ieee80211_rx_mesh_bss_get(struct net_device *dev, u8 *mesh_id, int mesh_id_len, ...@@ -2150,11 +2150,14 @@ ieee80211_rx_mesh_bss_get(struct net_device *dev, u8 *mesh_id, int mesh_id_len,
static struct ieee80211_sta_bss * static struct ieee80211_sta_bss *
ieee80211_rx_mesh_bss_add(struct net_device *dev, u8 *mesh_id, int mesh_id_len, ieee80211_rx_mesh_bss_add(struct net_device *dev, u8 *mesh_id, int mesh_id_len,
u8 *mesh_cfg, int freq) u8 *mesh_cfg, int mesh_config_len, int freq)
{ {
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
struct ieee80211_sta_bss *bss; struct ieee80211_sta_bss *bss;
if (mesh_config_len != MESH_CFG_LEN)
return NULL;
bss = kzalloc(sizeof(*bss), GFP_ATOMIC); bss = kzalloc(sizeof(*bss), GFP_ATOMIC);
if (!bss) if (!bss)
return NULL; return NULL;
...@@ -2528,7 +2531,8 @@ static void ieee80211_rx_bss_info(struct net_device *dev, ...@@ -2528,7 +2531,8 @@ static void ieee80211_rx_bss_info(struct net_device *dev,
#ifdef CONFIG_MAC80211_MESH #ifdef CONFIG_MAC80211_MESH
if (elems.mesh_config) if (elems.mesh_config)
bss = ieee80211_rx_mesh_bss_add(dev, elems.mesh_id, bss = ieee80211_rx_mesh_bss_add(dev, elems.mesh_id,
elems.mesh_id_len, elems.mesh_config, freq); elems.mesh_id_len, elems.mesh_config,
elems.mesh_config_len, freq);
else else
#endif #endif
bss = ieee80211_rx_bss_add(dev, mgmt->bssid, freq, bss = ieee80211_rx_bss_add(dev, mgmt->bssid, freq,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment