Brian Norris <briannorris@xxxxxxxxxxxx> wrote:
> Per the 802.11 specification, vendor IEs are (at minimum) only required
> to contain an OUI. A type field is also included in ieee80211.h (struct
> ieee80211_vendor_ie) but doesn't appear in the specification. The
> remaining fields (subtype, version) are a convention used in WMM
> headers.
>
> Thus, we should not reject vendor-specific IEs that have only the
> minimum length (3 bytes) -- we should skip over them (since we only want
> to match longer IEs, that match either WMM or WPA formats). We can
> reject elements that don't have the minimum-required 3 byte OUI.
>
> While we're at it, move the non-standard subtype and version fields into
> the WMM structs, to avoid this confusion in the future about generic
> "vendor header" attributes.
>
> Fixes: 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor element")
> Cc: Takashi Iwai <tiwai@xxxxxxx>
> Signed-off-by: Brian Norris <briannorris@xxxxxxxxxxxx>
> Reviewed-by: Takashi Iwai <tiwai@xxxxxxx>
Patch applied to wireless-drivers.git, thanks.
63d7ef36103d mwifiex: Don't abort on small, spec-compliant vendor IEs
--
https://patchwork.kernel.org/patch/10996895/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
