mac80211: check for mesh_config length on incoming management frames
authorLuis Carlos Cobo <luisca@cozybit.com>
Mon, 31 Mar 2008 23:00:13 +0000 (16:00 -0700)
committerJohn W. Linville <linville@tuxdriver.com>
Tue, 1 Apr 2008 21:14:12 +0000 (17:14 -0400)
Signed-off-by: Luis Carlos Cobo <luisca@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/mac80211/ieee80211_sta.c

index 152682d4bb1ac66421bc46ec5c9b1a766bda5ed9..927ffbfe858266f4909e39dc1e34bdebfcd92fa2 100644 (file)
@@ -2150,11 +2150,14 @@ ieee80211_rx_mesh_bss_get(struct net_device *dev, u8 *mesh_id, int mesh_id_len,
 
 static struct ieee80211_sta_bss *
 ieee80211_rx_mesh_bss_add(struct net_device *dev, u8 *mesh_id, int mesh_id_len,
-                         u8 *mesh_cfg, int freq)
+                         u8 *mesh_cfg, int mesh_config_len, int freq)
 {
        struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
        struct ieee80211_sta_bss *bss;
 
+       if (mesh_config_len != MESH_CFG_LEN)
+               return NULL;
+
        bss = kzalloc(sizeof(*bss), GFP_ATOMIC);
        if (!bss)
                return NULL;
@@ -2528,7 +2531,8 @@ static void ieee80211_rx_bss_info(struct net_device *dev,
 #ifdef CONFIG_MAC80211_MESH
                if (elems.mesh_config)
                        bss = ieee80211_rx_mesh_bss_add(dev, elems.mesh_id,
-                               elems.mesh_id_len, elems.mesh_config, freq);
+                               elems.mesh_id_len, elems.mesh_config,
+                               elems.mesh_config_len, freq);
                else
 #endif
                        bss = ieee80211_rx_bss_add(dev, mgmt->bssid, freq,