Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f1f3e9e2 authored by Johannes Berg's avatar Johannes Berg
Browse files

mac80211: fix IBSS presp allocation size 



When VHT IBSS support was added, the size of the extra elements
wasn't considered in ieee80211_ibss_build_presp(), which makes
it possible that it would overrun the allocated buffer. Fix it
by allocating the necessary space.

Fixes: abcff6ef ("mac80211: add VHT support for IBSS")
Reported-by: default avatarShaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 4954601f

net/mac80211/ibss.c

+2 −0
Original line number Original line Diff line number Diff line
@@ -66,6 +66,8 @@ ieee80211_ibss_build_presp(struct ieee80211_sub_if_data *sdata, 
		    2 + (IEEE80211_MAX_SUPP_RATES - 8) +

		    2 + (IEEE80211_MAX_SUPP_RATES - 8) +

		    2 + sizeof(struct ieee80211_ht_cap) +

		    2 + sizeof(struct ieee80211_ht_cap) +

		    2 + sizeof(struct ieee80211_ht_operation) +

		    2 + sizeof(struct ieee80211_ht_operation) +

		    2 + sizeof(struct ieee80211_vht_cap) +

		    2 + sizeof(struct ieee80211_vht_operation) +

		    ifibss->ie_len;

		    ifibss->ie_len;

	presp = kzalloc(sizeof(*presp) + frame_len, GFP_KERNEL);

	presp = kzalloc(sizeof(*presp) + frame_len, GFP_KERNEL);

	if (!presp)

	if (!presp)