mac80211: check size of channel switch IE when parsing The channel switch IE has a fixed size, so we can discard it in parsing if it's not the right size and use the right struct pointer. Signed-off-by: Johannes Berg <johannes.berg@intel.com>

commit: 5bc1420b11903e9f8c470d3b33061b8de0c5c005 [log] [tgz]
author: Johannes Berg <johannes.berg@intel.com> Wed Aug 01 16:13:02 2012 +0200
committer: Johannes Berg <johannes.berg@intel.com> Mon Aug 20 13:57:50 2012 +0200
tree: 5fa942edea59ad047aa58f9d84c6259cd3b4f314
parent: 3049000b97bbfc90aa9ba413eadc4007e5bce2e0 [diff] [blame]
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 99e4258..7dff94e 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c

@@ -768,8 +768,11 @@
 				elem_parse_failed = true;
 			break;
 		case WLAN_EID_CHANNEL_SWITCH:
-			elems->ch_switch_elem = pos;
-			elems->ch_switch_elem_len = elen;
+			if (elen != sizeof(struct ieee80211_channel_sw_ie)) {
+				elem_parse_failed = true;
+				break;
+			}
+			elems->ch_switch_ie = (void *)pos;
 			break;
 		case WLAN_EID_QUIET:
 			if (!elems->quiet_elem) {
commit	5bc1420b11903e9f8c470d3b33061b8de0c5c005	[log] [tgz]
author	Johannes Berg <johannes.berg@intel.com>	Wed Aug 01 16:13:02 2012 +0200
committer	Johannes Berg <johannes.berg@intel.com>	Mon Aug 20 13:57:50 2012 +0200
tree	5fa942edea59ad047aa58f9d84c6259cd3b4f314
parent	3049000b97bbfc90aa9ba413eadc4007e5bce2e0 [diff] [blame]