Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 6719429d authored by Luciano Coelho's avatar Luciano Coelho Committed by Johannes Berg
Browse files

cfg80211: check vendor IE length to avoid overrun 



cfg80211_find_vendor_ie() was checking only that the vendor IE would
fit in the remaining IEs buffer.  If a corrupt includes a vendor IE
that is too small, we could potentially overrun the IEs buffer.

Fix this by checking that the vendor IE fits in the reported IE length
field and skip it otherwise.

Reported-by: default avatarJouni Malinen <j@w1.fi>
Signed-off-by: default avatarLuciano Coelho <coelho@ti.com>
[change BUILD_BUG_ON to != 1 (from >= 2)]
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent bb92d199
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment