diff options
author | Johannes Berg <johannes.berg@intel.com> | 2012-08-01 16:13:02 +0200 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2012-08-20 13:57:50 +0200 |
commit | 5bc1420b11903e9f8c470d3b33061b8de0c5c005 (patch) | |
tree | 5fa942edea59ad047aa58f9d84c6259cd3b4f314 /net/mac80211/util.c | |
parent | mac80211: fix CSA handling timer (diff) | |
download | linux-5bc1420b11903e9f8c470d3b33061b8de0c5c005.tar.xz linux-5bc1420b11903e9f8c470d3b33061b8de0c5c005.zip |
mac80211: check size of channel switch IE when parsing
The channel switch IE has a fixed size, so we can
discard it in parsing if it's not the right size
and use the right struct pointer.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211/util.c')
-rw-r--r-- | net/mac80211/util.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 99e4258bdb26..7dff94e43a0c 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -768,8 +768,11 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len, elem_parse_failed = true; break; case WLAN_EID_CHANNEL_SWITCH: - elems->ch_switch_elem = pos; - elems->ch_switch_elem_len = elen; + if (elen != sizeof(struct ieee80211_channel_sw_ie)) { + elem_parse_failed = true; + break; + } + elems->ch_switch_ie = (void *)pos; break; case WLAN_EID_QUIET: if (!elems->quiet_elem) { |