he_capab_len is always greater than sizeof(struct ieee80211_he_capabilities) because of the dynamic mcs_nss and ppet fields.
Thus, the validity check in copy_sta_he_capab will always fail and he_capab will never be parsed.
Fix is to validate that he_capab_len is not greater than the maximum HE Capability IE size and use the actual he_capab_len to parse the he_capab.
Also, take these fields into consideration in beacon.c
Signed-off-by: shay.bar <shay.bar@xxxxxxxxxx>
---
Now including the Signed-off-by :)
src/ap/beacon.c | 4 ++++
src/ap/ieee802_11_he.c | 10 ++++++----
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index a51b949..98efb45 100644
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -397,6 +397,8 @@ static u8 * hostapd_gen_probe_resp(struct hostapd_data *hapd,
#ifdef CONFIG_IEEE80211AX
if (hapd->iconf->ieee80211ax) {
buflen += 3 + sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE +
3 + sizeof(struct ieee80211_he_operation) +
3 + sizeof(struct ieee80211_he_mu_edca_parameter_set) +
3 + sizeof(struct ieee80211_spatial_reuse);
@@ -1089,6 +1091,8 @@ int ieee802_11_build_ap_params(struct hostapd_data *hapd,
#ifdef CONFIG_IEEE80211AX
if (hapd->iconf->ieee80211ax) {
tail_len += 3 + sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE +
3 + sizeof(struct ieee80211_he_operation) +
3 + sizeof(struct ieee80211_he_mu_edca_parameter_set) +
3 + sizeof(struct ieee80211_spatial_reuse);
diff --git a/src/ap/ieee802_11_he.c b/src/ap/ieee802_11_he.c
index a51f3fc..a7a74f0 100644
--- a/src/ap/ieee802_11_he.c
+++ b/src/ap/ieee802_11_he.c
@@ -323,9 +323,12 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
enum ieee80211_op_mode opmode, const u8 *he_capab,
size_t he_capab_len)
{
+size_t he_capab_max_len = sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE;
if (!he_capab || !hapd->iconf->ieee80211ax ||
!check_valid_he_mcs(hapd, he_capab, opmode) ||
- he_capab_len > sizeof(struct ieee80211_he_capabilities)) {
+ he_capab_len > he_capab_max_len) {
sta->flags &= ~WLAN_STA_HE;
os_free(sta->he_capab);
sta->he_capab = NULL;
@@ -333,14 +336,13 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
}
if (!sta->he_capab) {
-sta->he_capab =
-os_zalloc(sizeof(struct ieee80211_he_capabilities));
+sta->he_capab =os_zalloc(he_capab_len);
if (!sta->he_capab)
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
sta->flags |= WLAN_STA_HE;
-os_memset(sta->he_capab, 0, sizeof(struct ieee80211_he_capabilities));
+os_memset(sta->he_capab, 0, he_capab_len);
os_memcpy(sta->he_capab, he_capab, he_capab_len);
sta->he_capab_len = he_capab_len;
--
1.9.1
________________________________
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any retransmission, dissemination, copying or other use of, or taking of any action in reliance upon this information is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Nothing contained herein shall be deemed as a representation, warranty or a commitment by Celeno. No warranties are expressed or implied, including, but not limited to, any implied warranties of non-infringement, merchantability and fitness for a particular purpose.
________________________________
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
