From: Johannes Berg <johannes@sipsolutions.net>
Date: Thu, 16 Apr 2009 22:54:23 +0000 (+0200)
Subject: mac80211: validate TIM IE length
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=60375541f7c8a577b977d344565259776c3acfc1;p=mv-sheeva.git

mac80211: validate TIM IE length

The TIM IE must not be shorter than 4 bytes, so verify that
when parsing it.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index dc60804d6dd..1619e0cd26e 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -441,6 +441,9 @@ static bool ieee80211_check_tim(struct ieee802_11_elems *elems, u16 aid)
 	u8 index, indexn1, indexn2;
 	struct ieee80211_tim_ie *tim = (struct ieee80211_tim_ie *) elems->tim;
 
+	if (unlikely(!tim || elems->tim_len < 4))
+		return false;
+
 	aid &= 0x3fff;
 	index = aid / 8;
 	mask  = 1 << (aid & 7);