summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2009-04-17 00:54:23 +0200
committerJohn W. Linville <linville@tuxdriver.com>2009-04-17 15:27:13 -0400
commit60375541f7c8a577b977d344565259776c3acfc1 (patch)
tree89be78d18bcc64af22599268e8698d39e87f9192 /net
parentcd1658f592a60d028dd2e48d86724b737a82cab0 (diff)
downloadlinux-60375541f7c8a577b977d344565259776c3acfc1.tar.gz
linux-60375541f7c8a577b977d344565259776c3acfc1.tar.bz2
linux-60375541f7c8a577b977d344565259776c3acfc1.zip
mac80211: validate TIM IE length
The TIM IE must not be shorter than 4 bytes, so verify that when parsing it. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r--net/mac80211/mlme.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index dc60804d6dd0..1619e0cd26e2 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -441,6 +441,9 @@ static bool ieee80211_check_tim(struct ieee802_11_elems *elems, u16 aid)
u8 index, indexn1, indexn2;
struct ieee80211_tim_ie *tim = (struct ieee80211_tim_ie *) elems->tim;
+ if (unlikely(!tim || elems->tim_len < 4))
+ return false;
+
aid &= 0x3fff;
index = aid / 8;
mask = 1 << (aid & 7);