On Thu, Sep 15, 2011 at 12:03 PM, Johannes Berg
<johannes@xxxxxxxxxxxxxxxx> wrote:
>
>> +const u8 *cfg80211_find_vendor_ie(unsigned int oui, u8 oui_type,
>> + const u8 *ies, int len)
>> +{
>> + struct ieee80211_vendor_ie *ie;
>> + const u8 *pos = ies, *end = ies + len;
>> + int ie_oui;
>> +
>> + while (pos < end) {
>> + pos = cfg80211_find_ie(WLAN_EID_VENDOR_SPECIFIC, pos,
>> + end - pos);
>> + if (!pos)
>> + return NULL;
>> +
>> + if (end - pos < sizeof(*ie))
>> + return NULL;
>> +
>> + ie = (struct ieee80211_vendor_ie *)pos;
>> + ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2];
>> + if (ie_oui == oui && ie->oui_type == oui_type)
>> + return pos;
>> +
>> + pos += 2 + ie->len;
>
> I think it should also check that the whole IE including ie->len (not
> just sizeof(*ie) fits into the buffer, before returning it. That is, add
> something like
>
> if (end - pos < 2 + ie->len)
> return NULL;
>
> after the sizeof(*ie) check.
>
cfg80211_find_ie() already checks for it.
Eliad.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
