b43: Fix tim search buffer overrun

Use the length of the variable section of the beacon instead of the whole beacon length for bounds checking. Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
git-mirror · Jan 28, 2008 · 47f76ca · 47f76ca
1 parent 280d0e1
commit 47f76ca
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
@@ -1163,7 +1163,7 @@ static void b43_write_beacon_template(struct b43_wldev *dev,
 				      u16 ram_offset,
 				      u16 shm_size_offset, u8 rate)
 {
-	int i, len;
+	unsigned int i, len, variable_len;
 	const struct ieee80211_mgmt *bcn;
 	const u8 *ie;
 	bool tim_found = 0;
@@ -1178,7 +1178,8 @@ static void b43_write_beacon_template(struct b43_wldev *dev,
 	/* Find the position of the TIM and the DTIM_period value
 	 * and write them to SHM. */
 	ie = bcn->u.beacon.variable;
-	for (i = 0; i < len - 2; ) {
+	variable_len = len - offsetof(struct ieee80211_mgmt, u.beacon.variable);
+	for (i = 0; i < variable_len - 2; ) {
 		uint8_t ie_id, ie_len;
 
 		ie_id = ie[i];
@@ -1189,7 +1190,7 @@ static void b43_write_beacon_template(struct b43_wldev *dev,
 			/* This is the TIM Information Element */
 
 			/* Check whether the ie_len is in the beacon data range. */
-			if (len < ie_len + 2 + i)
+			if (variable_len < ie_len + 2 + i)
 				break;
 			/* A valid TIM is at least 4 bytes long. */
 			if (ie_len < 4)