From 40baac0e432cacffc92d8790c83bde5bb93a8285 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 19 Apr 2015 17:00:45 +0300 Subject: [PATCH] Simplify VHT Capabilities element parsing Check the element length in the parser and remove the length field from struct ieee802_11_elems since the element is of fixed length. Signed-off-by: Jouni Malinen --- src/ap/ieee802_11.c | 3 +-- src/ap/ieee802_11.h | 2 +- src/ap/ieee802_11_vht.c | 3 +-- src/common/ieee802_11_common.c | 3 ++- src/common/ieee802_11_common.h | 1 - src/rsn_supp/tdls.c | 4 +--- src/rsn_supp/wpa_ie.c | 5 +++-- src/rsn_supp/wpa_ie.h | 1 - 8 files changed, 9 insertions(+), 13 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 12996775d..5b265584b 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -1295,8 +1295,7 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, #endif /* CONFIG_IEEE80211N */ #ifdef CONFIG_IEEE80211AC - resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities, - elems.vht_capabilities_len); + resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities); if (resp != WLAN_STATUS_SUCCESS) return resp; diff --git a/src/ap/ieee802_11.h b/src/ap/ieee802_11.h index a0972358d..44c1bff36 100644 --- a/src/ap/ieee802_11.h +++ b/src/ap/ieee802_11.h @@ -70,7 +70,7 @@ void update_ht_state(struct hostapd_data *hapd, struct sta_info *sta); void ht40_intolerant_add(struct hostapd_iface *iface, struct sta_info *sta); void ht40_intolerant_remove(struct hostapd_iface *iface, struct sta_info *sta); u16 copy_sta_vht_capab(struct hostapd_data *hapd, struct sta_info *sta, - const u8 *vht_capab, size_t vht_capab_len); + const u8 *vht_capab); u16 set_sta_vht_opmode(struct hostapd_data *hapd, struct sta_info *sta, const u8 *vht_opmode); void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr, diff --git a/src/ap/ieee802_11_vht.c b/src/ap/ieee802_11_vht.c index 171538ad7..5bf1b5d72 100644 --- a/src/ap/ieee802_11_vht.c +++ b/src/ap/ieee802_11_vht.c @@ -132,11 +132,10 @@ static int check_valid_vht_mcs(struct hostapd_hw_modes *mode, u16 copy_sta_vht_capab(struct hostapd_data *hapd, struct sta_info *sta, - const u8 *vht_capab, size_t vht_capab_len) + const u8 *vht_capab) { /* Disable VHT caps for STAs associated to no-VHT BSSes. */ if (!vht_capab || - vht_capab_len < sizeof(struct ieee80211_vht_capabilities) || hapd->conf->disable_11ac || !check_valid_vht_mcs(hapd->iface->current_mode, vht_capab)) { sta->flags &= ~WLAN_STA_VHT; diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c index 3866ddfe2..922dea0aa 100644 --- a/src/common/ieee802_11_common.c +++ b/src/common/ieee802_11_common.c @@ -286,8 +286,9 @@ ParseRes ieee802_11_parse_elems(const u8 *start, size_t len, elems->peer_mgmt_len = elen; break; case WLAN_EID_VHT_CAP: + if (elen < sizeof(struct ieee80211_vht_capabilities)) + break; elems->vht_capabilities = pos; - elems->vht_capabilities_len = elen; break; case WLAN_EID_VHT_OPERATION: elems->vht_operation = pos; diff --git a/src/common/ieee802_11_common.h b/src/common/ieee802_11_common.h index 5306783e2..24e558ee7 100644 --- a/src/common/ieee802_11_common.h +++ b/src/common/ieee802_11_common.h @@ -65,7 +65,6 @@ struct ieee802_11_elems { u8 mesh_config_len; u8 mesh_id_len; u8 peer_mgmt_len; - u8 vht_capabilities_len; u8 vht_operation_len; u8 vendor_ht_cap_len; u8 vendor_vht_len; diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c index 490fcaa62..6b1df7119 100644 --- a/src/rsn_supp/tdls.c +++ b/src/rsn_supp/tdls.c @@ -1603,9 +1603,7 @@ static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde, static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde, struct wpa_tdls_peer *peer) { - if (!kde->vht_capabilities || - kde->vht_capabilities_len < - sizeof(struct ieee80211_vht_capabilities) ) { + if (!kde->vht_capabilities) { wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities " "received"); return 0; diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c index ec3eab0db..0c37b35c1 100644 --- a/src/rsn_supp/wpa_ie.c +++ b/src/rsn_supp/wpa_ie.c @@ -559,9 +559,10 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len, } else if (*pos == WLAN_EID_VHT_AID) { if (pos[1] >= 2) ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff; - } else if (*pos == WLAN_EID_VHT_CAP) { + } else if (*pos == WLAN_EID_VHT_CAP && + pos[1] >= sizeof(struct ieee80211_vht_capabilities)) + { ie->vht_capabilities = pos + 2; - ie->vht_capabilities_len = pos[1]; } else if (*pos == WLAN_EID_QOS && pos[1] >= 1) { ie->qosinfo = pos[2]; } else if (*pos == WLAN_EID_SUPPORTED_CHANNELS) { diff --git a/src/rsn_supp/wpa_ie.h b/src/rsn_supp/wpa_ie.h index edabfc792..fe95af0ab 100644 --- a/src/rsn_supp/wpa_ie.h +++ b/src/rsn_supp/wpa_ie.h @@ -51,7 +51,6 @@ struct wpa_eapol_ie_parse { size_t ext_supp_rates_len; const u8 *ht_capabilities; const u8 *vht_capabilities; - size_t vht_capabilities_len; const u8 *supp_channels; size_t supp_channels_len; const u8 *supp_oper_classes;