On Thu, Sep 15, 2011 at 12:03 PM, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote: > >> +const u8 *cfg80211_find_vendor_ie(unsigned int oui, u8 oui_type, >> + const u8 *ies, int len) >> +{ >> + struct ieee80211_vendor_ie *ie; >> + const u8 *pos = ies, *end = ies + len; >> + int ie_oui; >> + >> + while (pos < end) { >> + pos = cfg80211_find_ie(WLAN_EID_VENDOR_SPECIFIC, pos, >> + end - pos); >> + if (!pos) >> + return NULL; >> + >> + if (end - pos < sizeof(*ie)) >> + return NULL; >> + >> + ie = (struct ieee80211_vendor_ie *)pos; >> + ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2]; >> + if (ie_oui == oui && ie->oui_type == oui_type) >> + return pos; >> + >> + pos += 2 + ie->len; > > I think it should also check that the whole IE including ie->len (not > just sizeof(*ie) fits into the buffer, before returning it. That is, add > something like > > if (end - pos < 2 + ie->len) > return NULL; > > after the sizeof(*ie) check. > cfg80211_find_ie() already checks for it. Eliad. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html