summaryrefslogtreecommitdiffstats
path: root/net/mac80211/mlme.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2008-10-07 19:31:17 +0200
committerJohn W. Linville <linville@tuxdriver.com>2008-10-14 20:47:15 -0400
commit09914813da37f1ee9d77998a0701629cfbbd98f4 (patch)
tree6577e7769862378abf62e6867a54b71da1dc12c6 /net/mac80211/mlme.c
parent3eadd751eb8cb8090a65b4fa72c6360fd1aa5f06 (diff)
downloadlinux-09914813da37f1ee9d77998a0701629cfbbd98f4.tar.bz2
mac80211: fix HT information element parsing
There's no checking that the HT IEs are of the right length which can be used by an attacker to cause an out-of-bounds access by sending a too short HT information/capability IE. Fix it by simply pretending those IEs didn't exist when too short. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211/mlme.c')
-rw-r--r--net/mac80211/mlme.c3
1 files changed, 0 insertions, 3 deletions
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 49f86fa56bff..87665d7bb4f9 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1348,10 +1348,8 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
(ifsta->flags & IEEE80211_STA_WMM_ENABLED)) {
struct ieee80211_ht_bss_info bss_info;
ieee80211_ht_cap_ie_to_ht_info(
- (struct ieee80211_ht_cap *)
elems.ht_cap_elem, &sta->sta.ht_info);
ieee80211_ht_addt_info_ie_to_ht_bss_info(
- (struct ieee80211_ht_addt_info *)
elems.ht_info_elem, &bss_info);
ieee80211_handle_ht(local, 1, &sta->sta.ht_info, &bss_info);
}
@@ -1709,7 +1707,6 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
struct ieee80211_ht_bss_info bss_info;
ieee80211_ht_addt_info_ie_to_ht_bss_info(
- (struct ieee80211_ht_addt_info *)
elems.ht_info_elem, &bss_info);
changed |= ieee80211_handle_ht(local, 1, &conf->ht_conf,
&bss_info);