summaryrefslogtreecommitdiff
path: root/net/mac80211
diff options
context:
space:
mode:
authorLuis Carlos Cobo <luisca@cozybit.com>2008-03-31 16:00:13 -0700
committerJohn W. Linville <linville@tuxdriver.com>2008-04-01 17:14:12 -0400
commit05e5e88373d91c75e9262a3f984be511960e510d (patch)
treede4e719001ae3e07a2d64b71445712f79eacd959 /net/mac80211
parent966a54282257ce1c43a5410dab2f2778a6f4dcf9 (diff)
downloadlinux-stable-05e5e88373d91c75e9262a3f984be511960e510d.tar.gz
linux-stable-05e5e88373d91c75e9262a3f984be511960e510d.tar.bz2
linux-stable-05e5e88373d91c75e9262a3f984be511960e510d.zip
mac80211: check for mesh_config length on incoming management frames
Signed-off-by: Luis Carlos Cobo <luisca@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r--net/mac80211/ieee80211_sta.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/net/mac80211/ieee80211_sta.c b/net/mac80211/ieee80211_sta.c
index 152682d4bb1a..927ffbfe8582 100644
--- a/net/mac80211/ieee80211_sta.c
+++ b/net/mac80211/ieee80211_sta.c
@@ -2150,11 +2150,14 @@ ieee80211_rx_mesh_bss_get(struct net_device *dev, u8 *mesh_id, int mesh_id_len,
static struct ieee80211_sta_bss *
ieee80211_rx_mesh_bss_add(struct net_device *dev, u8 *mesh_id, int mesh_id_len,
- u8 *mesh_cfg, int freq)
+ u8 *mesh_cfg, int mesh_config_len, int freq)
{
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
struct ieee80211_sta_bss *bss;
+ if (mesh_config_len != MESH_CFG_LEN)
+ return NULL;
+
bss = kzalloc(sizeof(*bss), GFP_ATOMIC);
if (!bss)
return NULL;
@@ -2528,7 +2531,8 @@ static void ieee80211_rx_bss_info(struct net_device *dev,
#ifdef CONFIG_MAC80211_MESH
if (elems.mesh_config)
bss = ieee80211_rx_mesh_bss_add(dev, elems.mesh_id,
- elems.mesh_id_len, elems.mesh_config, freq);
+ elems.mesh_id_len, elems.mesh_config,
+ elems.mesh_config_len, freq);
else
#endif
bss = ieee80211_rx_bss_add(dev, mgmt->bssid, freq,