From f4b64c603e1f3764c4ffa42b3b7c74c8fa284542 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 19 Apr 2015 17:03:23 +0300
Subject: [PATCH] Simplify VHT Operation element parsing

Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/common/ieee802_11_common.c | 3 ++-
 src/common/ieee802_11_common.h | 1 -
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 85d6ca8c5..7843e6fea 100644
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -292,8 +292,9 @@ ParseRes ieee802_11_parse_elems(const u8 *start, size_t len,
 			elems->vht_capabilities = pos;
 			break;
 		case WLAN_EID_VHT_OPERATION:
+			if (elen < sizeof(struct ieee80211_vht_operation))
+				break;
 			elems->vht_operation = pos;
-			elems->vht_operation_len = elen;
 			break;
 		case WLAN_EID_VHT_OPERATING_MODE_NOTIFICATION:
 			if (elen != 1)
diff --git a/src/common/ieee802_11_common.h b/src/common/ieee802_11_common.h
index 33e60b270..c84d8a748 100644
--- a/src/common/ieee802_11_common.h
+++ b/src/common/ieee802_11_common.h
@@ -64,7 +64,6 @@ struct ieee802_11_elems {
 	u8 mesh_config_len;
 	u8 mesh_id_len;
 	u8 peer_mgmt_len;
-	u8 vht_operation_len;
 	u8 vendor_ht_cap_len;
 	u8 vendor_vht_len;
 	u8 p2p_len;