7 Oct 19:27
[PATCH] mac80211: fix HT information element parsing
From: Johannes Berg <johannes@...>
Subject: [PATCH] mac80211: fix HT information element parsing
Newsgroups: gmane.linux.kernel.wireless.general
Date: 2008-10-07 17:31:17 GMT
Subject: [PATCH] mac80211: fix HT information element parsing
Newsgroups: gmane.linux.kernel.wireless.general
Date: 2008-10-07 17:31:17 GMT
There's no checking that the HT IEs are of the right length which can be used by an attacker to cause an out-of-bounds access by sending a too short HT information/capability IE. Fix it by simply pretending those IEs didn't exist when too short. Signed-off-by: Johannes Berg <johannes@...> --- net/mac80211/ieee80211_i.h | 6 ++---- net/mac80211/mlme.c | 3 --- net/mac80211/util.c | 8 ++++---- 3 files changed, 6 insertions(+), 11 deletions(-) --- everything.orig/net/mac80211/ieee80211_i.h 2008-10-07 16:52:04.000000000 +0200 +++ everything/net/mac80211/ieee80211_i.h 2008-10-07 16:53:04.000000000 +0200 @@ -816,8 +816,8 @@ struct ieee802_11_elems { u8 *ext_supp_rates; u8 *wmm_info; u8 *wmm_param; - u8 *ht_cap_elem; - u8 *ht_info_elem; + struct ieee80211_ht_cap *ht_cap_elem; + struct ieee80211_ht_addt_info *ht_info_elem; u8 *mesh_config; u8 *mesh_id; u8 *peer_link; @@ -844,8 +844,6 @@ struct ieee802_11_elems { u8 ext_supp_rates_len; u8 wmm_info_len; u8 wmm_param_len;(Continue reading)
RSS Feed