The TIM IE must not be shorter than 4 bytes, so verify that when parsing it. Signed-off-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx> --- Ok the other version doesn't apply to .30 -- only to a tree that already has my other patches. This is going to create merge conflicts, but they should be easy to resolve... net/mac80211/mlme.c | 3 +++ 1 file changed, 3 insertions(+) --- wireless-testing.orig/net/mac80211/mlme.c 2009-04-17 00:50:23.000000000 +0200 +++ wireless-testing/net/mac80211/mlme.c 2009-04-17 00:52:09.000000000 +0200 @@ -528,6 +528,9 @@ static bool ieee80211_check_tim(struct i u8 index, indexn1, indexn2; struct ieee80211_tim_ie *tim = (struct ieee80211_tim_ie *) elems->tim; + if (unlikely(!tim || elems->tim_len < 4)) + return false; + aid &= 0x3fff; index = aid / 8; mask = 1 << (aid & 7); -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
