mac80211: check size of channel switch IE when parsing

Sat Sep 29 10:59:42 EDT 2012

Gitweb:     http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=5bc1420b11903e9f8c470d3b33061b8de0c5c005
Commit:     5bc1420b11903e9f8c470d3b33061b8de0c5c005
Parent:     3049000b97bbfc90aa9ba413eadc4007e5bce2e0
Author:     Johannes Berg <johannes.berg at intel.com>
AuthorDate: Wed Aug 1 16:13:02 2012 +0200
Committer:  Johannes Berg <johannes.berg at intel.com>
CommitDate: Mon Aug 20 13:57:50 2012 +0200

    mac80211: check size of channel switch IE when parsing
    
    The channel switch IE has a fixed size, so we can
    discard it in parsing if it's not the right size
    and use the right struct pointer.
    
    Signed-off-by: Johannes Berg <johannes.berg at intel.com>
---
 net/mac80211/ieee80211_i.h |    3 +--
 net/mac80211/mlme.c        |   10 +++-------
 net/mac80211/util.c        |    7 +++++--
 3 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index e22aee8..793f03e 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1136,7 +1136,7 @@ struct ieee802_11_elems {
 	u8 *prep;
 	u8 *perr;
 	struct ieee80211_rann_ie *rann;
-	u8 *ch_switch_elem;
+	struct ieee80211_channel_sw_ie *ch_switch_ie;
 	u8 *country_elem;
 	u8 *pwr_constr_elem;
 	u8 *quiet_elem;	/* first quite element */
@@ -1162,7 +1162,6 @@ struct ieee802_11_elems {
 	u8 preq_len;
 	u8 prep_len;
 	u8 perr_len;
-	u8 ch_switch_elem_len;
 	u8 country_elem_len;
 	u8 pwr_constr_elem_len;
 	u8 quiet_elem_len;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 9e61fe1..b9cb8db 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2267,14 +2267,10 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
 		mutex_unlock(&local->iflist_mtx);
 	}
 
-	if (elems->ch_switch_elem && (elems->ch_switch_elem_len == 3) &&
-	    (memcmp(mgmt->bssid, sdata->u.mgd.associated->bssid,
-							ETH_ALEN) == 0)) {
-		struct ieee80211_channel_sw_ie *sw_elem =
-			(struct ieee80211_channel_sw_ie *)elems->ch_switch_elem;
-		ieee80211_sta_process_chanswitch(sdata, sw_elem,
+	if (elems->ch_switch_ie &&
+	    memcmp(mgmt->bssid, sdata->u.mgd.associated->bssid, ETH_ALEN) == 0)
+		ieee80211_sta_process_chanswitch(sdata, elems->ch_switch_ie,
 						 bss, rx_status->mactime);
-	}
 }
 
 
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 99e4258..7dff94e 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -768,8 +768,11 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
 				elem_parse_failed = true;
 			break;
 		case WLAN_EID_CHANNEL_SWITCH:
-			elems->ch_switch_elem = pos;
-			elems->ch_switch_elem_len = elen;
+			if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
+				elem_parse_failed = true;
+				break;
+			}
+			elems->ch_switch_ie = (void *)pos;
 			break;
 		case WLAN_EID_QUIET:
 			if (!elems->quiet_elem) {

