From 1cd8e88e17729f57a9c7f751103e522596bb5de2 Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@intel.com>
Date: Wed, 27 Mar 2013 14:30:12 +0100
Subject: mac80211: check DSSS params IE length in parser

It's always just one byte, so check for that and
remove the length field from the parser struct.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/util.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'net/mac80211/util.c')

diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 2708b270e94..0f7d1c20f8a 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -739,8 +739,10 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
 			elems->supp_rates_len = elen;
 			break;
 		case WLAN_EID_DS_PARAMS:
-			elems->ds_params = pos;
-			elems->ds_params_len = elen;
+			if (elen >= 1)
+				elems->ds_params = pos;
+			else
+				elem_parse_failed = true;
 			break;
 		case WLAN_EID_TIM:
 			if (elen >= sizeof(struct ieee80211_tim_ie)) {
-- 
cgit v1.2.3-18-g5258