• Brian Norris's avatar
    mwifiex: Don't abort on small, spec-compliant vendor IEs · b441bf73
    Brian Norris authored
    commit 63d7ef36 upstream.
    
    Per the 802.11 specification, vendor IEs are (at minimum) only required
    to contain an OUI. A type field is also included in ieee80211.h (struct
    ieee80211_vendor_ie) but doesn't appear in the specification. The
    remaining fields (subtype, version) are a convention used in WMM
    headers.
    
    Thus, we should not reject vendor-specific IEs that have only the
    minimum length (3 bytes) -- we should skip over them (since we only want
    to match longer IEs, that match either WMM or WPA formats). We can
    reject elements that don't have the minimum-required 3 byte OUI.
    
    While we're at it, move the non-standard subtype and version fields into
    the WMM structs, to avoid this confusion in the future about generic
    "vendor header" attributes.
    
    Fixes: 685c9b77 ("mwifiex: Abort at too short BSS descriptor element")
    Cc: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
    Reviewed-by: default avatarTakashi Iwai <tiwai@suse.de>
    Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    b441bf73
fw.h 61 KB