Skip to content

Commit

Permalink
mac80211: fix HT information element parsing
Browse files Browse the repository at this point in the history 
There's no checking that the HT IEs are of the right length
which can be used by an attacker to cause an out-of-bounds
access by sending a too short HT information/capability IE.
Fix it by simply pretending those IEs didn't exist when too
short.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
  • Loading branch information
Johannes Berg authored and John W. Linville committed Oct 15, 2008
1 parent 3eadd75 commit 0991481
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 11 deletions.
6 changes: 2 additions & 4 deletions net/mac80211/ieee80211_i.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -816,8 +816,8 @@ struct ieee802_11_elems {
u8 *ext_supp_rates;
u8 *wmm_info;
u8 *wmm_param;
u8 *ht_cap_elem;
u8 *ht_info_elem;
struct ieee80211_ht_cap *ht_cap_elem;
struct ieee80211_ht_addt_info *ht_info_elem;
u8 *mesh_config;
u8 *mesh_id;
u8 *peer_link;
Expand All @@ -844,8 +844,6 @@ struct ieee802_11_elems {
u8 ext_supp_rates_len;
u8 wmm_info_len;
u8 wmm_param_len;
u8 ht_cap_elem_len;
u8 ht_info_elem_len;
u8 mesh_config_len;
u8 mesh_id_len;
u8 peer_link_len;
Expand Down
3 changes: 0 additions & 3 deletions net/mac80211/mlme.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1348,10 +1348,8 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
(ifsta->flags & IEEE80211_STA_WMM_ENABLED)) {
struct ieee80211_ht_bss_info bss_info;
ieee80211_ht_cap_ie_to_ht_info(
(struct ieee80211_ht_cap *)
elems.ht_cap_elem, &sta->sta.ht_info);
ieee80211_ht_addt_info_ie_to_ht_bss_info(
(struct ieee80211_ht_addt_info *)
elems.ht_info_elem, &bss_info);
ieee80211_handle_ht(local, 1, &sta->sta.ht_info, &bss_info);
}
Expand Down Expand Up @@ -1709,7 +1707,6 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
struct ieee80211_ht_bss_info bss_info;

ieee80211_ht_addt_info_ie_to_ht_bss_info(
(struct ieee80211_ht_addt_info *)
elems.ht_info_elem, &bss_info);
changed |= ieee80211_handle_ht(local, 1, &conf->ht_conf,
&bss_info);
Expand Down
8 changes: 4 additions & 4 deletions net/mac80211/util.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -529,12 +529,12 @@ void ieee802_11_parse_elems(u8 *start, size_t len,
elems->ext_supp_rates_len = elen;
break;
case WLAN_EID_HT_CAPABILITY:
elems->ht_cap_elem = pos;
elems->ht_cap_elem_len = elen;
if (elen >= sizeof(struct ieee80211_ht_cap))
elems->ht_cap_elem = (void *)pos;
break;
case WLAN_EID_HT_EXTRA_INFO:
elems->ht_info_elem = pos;
elems->ht_info_elem_len = elen;
if (elen >= sizeof(struct ieee80211_ht_addt_info))
elems->ht_info_elem = (void *)pos;
break;
case WLAN_EID_MESH_ID:
elems->mesh_id = pos;
Expand Down

0 comments on commit 0991481

Please sign in to comment.