mac80211: check size of channel switch IE when parsing

The channel switch IE has a fixed size, so we can discard it in parsing if it's not the right size and use the right struct pointer. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Johannes Berg <johannes.berg@intel.com> 2012-08-01 16:13:02 +0200
committer: Johannes Berg <johannes.berg@intel.com> 2012-08-20 13:57:50 +0200
commit: 5bc1420b11903e9f8c470d3b33061b8de0c5c005 (patch)
tree: 5fa942edea59ad047aa58f9d84c6259cd3b4f314 /net/mac80211/util.c
parent: 3049000b97bbfc90aa9ba413eadc4007e5bce2e0 (diff)
download: linux-5bc1420b11903e9f8c470d3b33061b8de0c5c005.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 99e4258bdb26..7dff94e43a0c 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -768,8 +768,11 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
 				elem_parse_failed = true;
 			break;
 		case WLAN_EID_CHANNEL_SWITCH:
-			elems->ch_switch_elem = pos;
-			elems->ch_switch_elem_len = elen;
+			if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
+				elem_parse_failed = true;
+				break;
+			}
+			elems->ch_switch_ie = (void *)pos;
 			break;
 		case WLAN_EID_QUIET:
 			if (!elems->quiet_elem) {
author	Johannes Berg <johannes.berg@intel.com>	2012-08-01 16:13:02 +0200
committer	Johannes Berg <johannes.berg@intel.com>	2012-08-20 13:57:50 +0200
commit	5bc1420b11903e9f8c470d3b33061b8de0c5c005 (patch)
tree	5fa942edea59ad047aa58f9d84c6259cd3b4f314 /net/mac80211/util.c
parent	3049000b97bbfc90aa9ba413eadc4007e5bce2e0 (diff)
download	linux-5bc1420b11903e9f8c470d3b33061b8de0c5c005.tar.gz