Commit 761a48d2 authored by Johannes Berg's avatar Johannes Berg

mac80211: check power constraint IE size when parsing

The power constraint IE is always a single byte
so check the size when parsing instead of later.
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent f8fffc7e
...@@ -1165,7 +1165,6 @@ struct ieee802_11_elems { ...@@ -1165,7 +1165,6 @@ struct ieee802_11_elems {
u8 prep_len; u8 prep_len;
u8 perr_len; u8 perr_len;
u8 country_elem_len; u8 country_elem_len;
u8 pwr_constr_elem_len;
u8 quiet_elem_len; u8 quiet_elem_len;
u8 num_of_quiet_elem; /* can be more the one */ u8 num_of_quiet_elem; /* can be more the one */
u8 timeout_int_len; u8 timeout_int_len;
......
...@@ -821,18 +821,13 @@ void ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata, ...@@ -821,18 +821,13 @@ void ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
} }
static void ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata, static void ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
u16 capab_info, u8 *pwr_constr_elem, u16 capab_info, u8 *pwr_constr_elem)
u8 pwr_constr_elem_len)
{ {
struct ieee80211_conf *conf = &sdata->local->hw.conf; struct ieee80211_conf *conf = &sdata->local->hw.conf;
if (!(capab_info & WLAN_CAPABILITY_SPECTRUM_MGMT)) if (!(capab_info & WLAN_CAPABILITY_SPECTRUM_MGMT))
return; return;
/* Power constraint IE length should be 1 octet */
if (pwr_constr_elem_len != 1)
return;
if ((*pwr_constr_elem <= conf->channel->max_reg_power) && if ((*pwr_constr_elem <= conf->channel->max_reg_power) &&
(*pwr_constr_elem != sdata->local->power_constr_level)) { (*pwr_constr_elem != sdata->local->power_constr_level)) {
sdata->local->power_constr_level = *pwr_constr_elem; sdata->local->power_constr_level = *pwr_constr_elem;
...@@ -2552,8 +2547,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, ...@@ -2552,8 +2547,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
if (elems.pwr_constr_elem) if (elems.pwr_constr_elem)
ieee80211_handle_pwr_constr(sdata, ieee80211_handle_pwr_constr(sdata,
le16_to_cpu(mgmt->u.probe_resp.capab_info), le16_to_cpu(mgmt->u.probe_resp.capab_info),
elems.pwr_constr_elem, elems.pwr_constr_elem);
elems.pwr_constr_elem_len);
} }
ieee80211_bss_info_change_notify(sdata, changed); ieee80211_bss_info_change_notify(sdata, changed);
......
...@@ -792,8 +792,11 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len, ...@@ -792,8 +792,11 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
elems->country_elem_len = elen; elems->country_elem_len = elen;
break; break;
case WLAN_EID_PWR_CONSTRAINT: case WLAN_EID_PWR_CONSTRAINT:
if (elen != 1) {
elem_parse_failed = true;
break;
}
elems->pwr_constr_elem = pos; elems->pwr_constr_elem = pos;
elems->pwr_constr_elem_len = elen;
break; break;
case WLAN_EID_TIMEOUT_INTERVAL: case WLAN_EID_TIMEOUT_INTERVAL:
elems->timeout_int = pos; elems->timeout_int = pos;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment