Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5bc1420b authored by Johannes Berg's avatar Johannes Berg
Browse files

mac80211: check size of channel switch IE when parsing 



The channel switch IE has a fixed size, so we can
discard it in parsing if it's not the right size
and use the right struct pointer.

Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 3049000b

net/mac80211/ieee80211_i.h

+1 −2
Original line number Diff line number Diff line
@@ -1136,7 +1136,7 @@ struct ieee802_11_elems { 
	u8 *prep;

	u8 *perr;

	struct ieee80211_rann_ie *rann;

	u8 *ch_switch_elem;

	struct ieee80211_channel_sw_ie *ch_switch_ie;

	u8 *country_elem;

	u8 *pwr_constr_elem;

	u8 *quiet_elem;	/* first quite element */
@@ -1162,7 +1162,6 @@ struct ieee802_11_elems { 
	u8 preq_len;

	u8 prep_len;

	u8 perr_len;

	u8 ch_switch_elem_len;

	u8 country_elem_len;

	u8 pwr_constr_elem_len;

	u8 quiet_elem_len;

net/mac80211/mlme.c

+3 −7
Original line number Diff line number Diff line
@@ -2267,15 +2267,11 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata, 
		mutex_unlock(&local->iflist_mtx);

	}



	if (elems->ch_switch_elem && (elems->ch_switch_elem_len == 3) &&

	    (memcmp(mgmt->bssid, sdata->u.mgd.associated->bssid,

							ETH_ALEN) == 0)) {

		struct ieee80211_channel_sw_ie *sw_elem =

			(struct ieee80211_channel_sw_ie *)elems->ch_switch_elem;

		ieee80211_sta_process_chanswitch(sdata, sw_elem,

	if (elems->ch_switch_ie &&

	    memcmp(mgmt->bssid, sdata->u.mgd.associated->bssid, ETH_ALEN) == 0)

		ieee80211_sta_process_chanswitch(sdata, elems->ch_switch_ie,

						 bss, rx_status->mactime);

}

}





static void ieee80211_rx_mgmt_probe_resp(struct ieee80211_sub_if_data *sdata,

net/mac80211/util.c

+5 −2
Original line number Diff line number Diff line
@@ -768,8 +768,11 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len, 
				elem_parse_failed = true;

			break;

		case WLAN_EID_CHANNEL_SWITCH:

			elems->ch_switch_elem = pos;

			elems->ch_switch_elem_len = elen;

			if (elen != sizeof(struct ieee80211_channel_sw_ie)) {

				elem_parse_failed = true;

				break;

			}

			elems->ch_switch_ie = (void *)pos;

			break;

		case WLAN_EID_QUIET:

			if (!elems->quiet_elem) {