Commit 5bc1420b authored by Johannes Berg's avatar Johannes Berg

mac80211: check size of channel switch IE when parsing

The channel switch IE has a fixed size, so we can
discard it in parsing if it's not the right size
and use the right struct pointer.
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 3049000b
...@@ -1136,7 +1136,7 @@ struct ieee802_11_elems { ...@@ -1136,7 +1136,7 @@ struct ieee802_11_elems {
u8 *prep; u8 *prep;
u8 *perr; u8 *perr;
struct ieee80211_rann_ie *rann; struct ieee80211_rann_ie *rann;
u8 *ch_switch_elem; struct ieee80211_channel_sw_ie *ch_switch_ie;
u8 *country_elem; u8 *country_elem;
u8 *pwr_constr_elem; u8 *pwr_constr_elem;
u8 *quiet_elem; /* first quite element */ u8 *quiet_elem; /* first quite element */
...@@ -1162,7 +1162,6 @@ struct ieee802_11_elems { ...@@ -1162,7 +1162,6 @@ struct ieee802_11_elems {
u8 preq_len; u8 preq_len;
u8 prep_len; u8 prep_len;
u8 perr_len; u8 perr_len;
u8 ch_switch_elem_len;
u8 country_elem_len; u8 country_elem_len;
u8 pwr_constr_elem_len; u8 pwr_constr_elem_len;
u8 quiet_elem_len; u8 quiet_elem_len;
......
...@@ -2267,14 +2267,10 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata, ...@@ -2267,14 +2267,10 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
mutex_unlock(&local->iflist_mtx); mutex_unlock(&local->iflist_mtx);
} }
if (elems->ch_switch_elem && (elems->ch_switch_elem_len == 3) && if (elems->ch_switch_ie &&
(memcmp(mgmt->bssid, sdata->u.mgd.associated->bssid, memcmp(mgmt->bssid, sdata->u.mgd.associated->bssid, ETH_ALEN) == 0)
ETH_ALEN) == 0)) { ieee80211_sta_process_chanswitch(sdata, elems->ch_switch_ie,
struct ieee80211_channel_sw_ie *sw_elem =
(struct ieee80211_channel_sw_ie *)elems->ch_switch_elem;
ieee80211_sta_process_chanswitch(sdata, sw_elem,
bss, rx_status->mactime); bss, rx_status->mactime);
}
} }
......
...@@ -768,8 +768,11 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len, ...@@ -768,8 +768,11 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
elem_parse_failed = true; elem_parse_failed = true;
break; break;
case WLAN_EID_CHANNEL_SWITCH: case WLAN_EID_CHANNEL_SWITCH:
elems->ch_switch_elem = pos; if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
elems->ch_switch_elem_len = elen; elem_parse_failed = true;
break;
}
elems->ch_switch_ie = (void *)pos;
break; break;
case WLAN_EID_QUIET: case WLAN_EID_QUIET:
if (!elems->quiet_elem) { if (!elems->quiet_elem) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment