> +const u8 *cfg80211_find_vendor_ie(unsigned int oui, u8 oui_type,
> + const u8 *ies, int len)
> +{
> + struct ieee80211_vendor_ie *ie;
> + const u8 *pos = ies, *end = ies + len;
> + int ie_oui;
> +
> + while (pos < end) {
> + pos = cfg80211_find_ie(WLAN_EID_VENDOR_SPECIFIC, pos,
> + end - pos);
> + if (!pos)
> + return NULL;
> +
> + if (end - pos < sizeof(*ie))
> + return NULL;
> +
> + ie = (struct ieee80211_vendor_ie *)pos;
> + ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2];
> + if (ie_oui == oui && ie->oui_type == oui_type)
> + return pos;
> +
> + pos += 2 + ie->len;
I think it should also check that the whole IE including ie->len (not
just sizeof(*ie) fits into the buffer, before returning it. That is, add
something like
if (end - pos < 2 + ie->len)
return NULL;
after the sizeof(*ie) check.
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
