mac80211: validate TIM IE length

author Johannes Berg <johannes@sipsolutions.net>

Thu, 16 Apr 2009 22:54:23 +0000 (00:54 +0200)

committer John W. Linville <linville@tuxdriver.com>

Fri, 17 Apr 2009 19:27:13 +0000 (15:27 -0400)
author Johannes Berg <johannes@sipsolutions.net>
Thu, 16 Apr 2009 22:54:23 +0000 (00:54 +0200)
committer John W. Linville <linville@tuxdriver.com>
Fri, 17 Apr 2009 19:27:13 +0000 (15:27 -0400)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c

index dc60804..1619e0c 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -441,6 +441,9 @@ static bool ieee80211_check_tim(struct ieee802_11_elems *elems, u16 aid)
         u8 index, indexn1, indexn2;
         struct ieee80211_tim_ie *tim = (struct ieee80211_tim_ie *) elems->tim;
  
+       if (unlikely(!tim || elems->tim_len < 4))
+               return false;
+
         aid &= 0x3fff;
         index = aid / 8;
         mask  = 1 << (aid & 7);
author	Johannes Berg <johannes@sipsolutions.net>
	Thu, 16 Apr 2009 22:54:23 +0000 (00:54 +0200)
committer	John W. Linville <linville@tuxdriver.com>
	Fri, 17 Apr 2009 19:27:13 +0000 (15:27 -0400)