diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2008-10-07 19:31:17 +0200 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2008-10-14 20:47:15 -0400 |
commit | 09914813da37f1ee9d77998a0701629cfbbd98f4 (patch) | |
tree | 6577e7769862378abf62e6867a54b71da1dc12c6 /net/mac80211/ieee80211_i.h | |
parent | 3eadd751eb8cb8090a65b4fa72c6360fd1aa5f06 (diff) | |
download | lwn-09914813da37f1ee9d77998a0701629cfbbd98f4.tar.gz lwn-09914813da37f1ee9d77998a0701629cfbbd98f4.zip |
mac80211: fix HT information element parsing
There's no checking that the HT IEs are of the right length
which can be used by an attacker to cause an out-of-bounds
access by sending a too short HT information/capability IE.
Fix it by simply pretending those IEs didn't exist when too
short.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211/ieee80211_i.h')
-rw-r--r-- | net/mac80211/ieee80211_i.h | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 8025b294588b..156e42a003ae 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -816,8 +816,8 @@ struct ieee802_11_elems { u8 *ext_supp_rates; u8 *wmm_info; u8 *wmm_param; - u8 *ht_cap_elem; - u8 *ht_info_elem; + struct ieee80211_ht_cap *ht_cap_elem; + struct ieee80211_ht_addt_info *ht_info_elem; u8 *mesh_config; u8 *mesh_id; u8 *peer_link; @@ -844,8 +844,6 @@ struct ieee802_11_elems { u8 ext_supp_rates_len; u8 wmm_info_len; u8 wmm_param_len; - u8 ht_cap_elem_len; - u8 ht_info_elem_len; u8 mesh_config_len; u8 mesh_id_len; u8 peer_link_len; |