Commit a40a8c17 authored Apr 15, 2014 by Bob Copeland Committed by Johannes Berg Apr 22, 2014

mac80211: fix mesh_add_rsn_ie IE finding loop



Previously, the code to copy the RSN IE from the mesh config
would increment its pointer by one in the loop instead of by
the element length, so there was the potential for mistaking
another IE's data fields as the RSN IE.

cfg80211_find_ie() exists, so just use that.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent aee6499c

net/mac80211/mesh.c

+8 −13

Original line number	Diff line number	Diff line
		@@ -366,20 +366,15 @@ int mesh_add_rsn_ie(struct ieee80211_sub_if_data sdata, struct sk_buff skb)
		return 0;

		/* find RSN IE */
		data = ifmsh->ie;
		while (data < ifmsh->ie + ifmsh->ie_len) {
		if (*data == WLAN_EID_RSN) {
		data = cfg80211_find_ie(WLAN_EID_RSN, ifmsh->ie, ifmsh->ie_len);
		if (!data)
		return 0;

		len = data[1] + 2;
		break;
		}
		data++;
		}

		if (len) {
		if (skb_tailroom(skb) < len)
		return -ENOMEM;
		memcpy(skb_put(skb, len), data, len);
		}

		return 0;
		}