mac80211: validate TIM IE length The TIM IE must not be shorter than 4 bytes, so verify that when parsing it. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>

commit: 60375541f7c8a577b977d344565259776c3acfc1 [log] [tgz]
author: Johannes Berg <johannes@sipsolutions.net> Fri Apr 17 00:54:23 2009 +0200
committer: John W. Linville <linville@tuxdriver.com> Fri Apr 17 15:27:13 2009 -0400
tree: 89be78d18bcc64af22599268e8698d39e87f9192
parent: cd1658f592a60d028dd2e48d86724b737a82cab0 [diff] [blame]
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index dc60804..1619e0c 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c

@@ -441,6 +441,9 @@
 	u8 index, indexn1, indexn2;
 	struct ieee80211_tim_ie *tim = (struct ieee80211_tim_ie *) elems->tim;
 
+	if (unlikely(!tim || elems->tim_len < 4))
+		return false;
+
 	aid &= 0x3fff;
 	index = aid / 8;
 	mask  = 1 << (aid & 7);
commit	60375541f7c8a577b977d344565259776c3acfc1	[log] [tgz]
author	Johannes Berg <johannes@sipsolutions.net>	Fri Apr 17 00:54:23 2009 +0200
committer	John W. Linville <linville@tuxdriver.com>	Fri Apr 17 15:27:13 2009 -0400
tree	89be78d18bcc64af22599268e8698d39e87f9192
parent	cd1658f592a60d028dd2e48d86724b737a82cab0 [diff] [blame]