On Thu, 2011-09-15 at 12:09 +0300, Eliad Peller wrote:
> On Thu, Sep 15, 2011 at 12:03 PM, Johannes Berg
> <johannes@xxxxxxxxxxxxxxxx> wrote:
> >
> >> +const u8 *cfg80211_find_vendor_ie(unsigned int oui, u8 oui_type,
> >> + const u8 *ies, int len)
> >> +{
> >> + struct ieee80211_vendor_ie *ie;
> >> + const u8 *pos = ies, *end = ies + len;
> >> + int ie_oui;
> >> +
> >> + while (pos < end) {
> >> + pos = cfg80211_find_ie(WLAN_EID_VENDOR_SPECIFIC, pos,
> >> + end - pos);
> >> + if (!pos)
> >> + return NULL;
> >> +
> >> + if (end - pos < sizeof(*ie))
> >> + return NULL;
> >> +
> >> + ie = (struct ieee80211_vendor_ie *)pos;
> >> + ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2];
> >> + if (ie_oui == oui && ie->oui_type == oui_type)
> >> + return pos;
> >> +
> >> + pos += 2 + ie->len;
> >
> > I think it should also check that the whole IE including ie->len (not
> > just sizeof(*ie) fits into the buffer, before returning it. That is, add
> > something like
> >
> > if (end - pos < 2 + ie->len)
> > return NULL;
> >
> > after the sizeof(*ie) check.
> >
> cfg80211_find_ie() already checks for it.
Oh, good point. Sorry for the interruption :)
Reviewed-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
