Simplify HT Capabilities element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 507053e..80e4c2e 100644
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -126,8 +126,6 @@
#ifdef CONFIG_IEEE80211N
#ifdef NEED_AP_MLME
if (elems.ht_capabilities &&
- elems.ht_capabilities_len >=
- sizeof(struct ieee80211_ht_capabilities) &&
(hapd->iface->conf->ht_capab &
HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) {
struct ieee80211_ht_capabilities *ht_cap =
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index a7631e4..1299677 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1282,8 +1282,7 @@
if (resp != WLAN_STATUS_SUCCESS)
return resp;
#ifdef CONFIG_IEEE80211N
- resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities,
- elems.ht_capabilities_len);
+ resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
if (resp != WLAN_STATUS_SUCCESS)
return resp;
if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
diff --git a/src/ap/ieee802_11.h b/src/ap/ieee802_11.h
index cc5e842..a097235 100644
--- a/src/ap/ieee802_11.h
+++ b/src/ap/ieee802_11.h
@@ -62,7 +62,7 @@
struct ieee80211_vht_capabilities *vht_cap,
struct ieee80211_vht_capabilities *neg_vht_cap);
u16 copy_sta_ht_capab(struct hostapd_data *hapd, struct sta_info *sta,
- const u8 *ht_capab, size_t ht_capab_len);
+ const u8 *ht_capab);
u16 copy_sta_vendor_vht(struct hostapd_data *hapd, struct sta_info *sta,
const u8 *ie, size_t len);
diff --git a/src/ap/ieee802_11_ht.c b/src/ap/ieee802_11_ht.c
index 9dad8e3..11fde2a 100644
--- a/src/ap/ieee802_11_ht.c
+++ b/src/ap/ieee802_11_ht.c
@@ -310,7 +310,7 @@
u16 copy_sta_ht_capab(struct hostapd_data *hapd, struct sta_info *sta,
- const u8 *ht_capab, size_t ht_capab_len)
+ const u8 *ht_capab)
{
/*
* Disable HT caps for STAs associated to no-HT BSSes, or for stations
@@ -318,7 +318,6 @@
* frame.
*/
if (!ht_capab ||
- ht_capab_len < sizeof(struct ieee80211_ht_capabilities) ||
!(sta->flags & WLAN_STA_WMM) || hapd->conf->disable_11n) {
sta->flags &= ~WLAN_STA_HT;
os_free(sta->ht_capabilities);
diff --git a/src/common/hw_features_common.c b/src/common/hw_features_common.c
index 8d83de6..8f90fff 100644
--- a/src/common/hw_features_common.c
+++ b/src/common/hw_features_common.c
@@ -335,9 +335,7 @@
ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems,
0);
- if (elems.ht_capabilities &&
- elems.ht_capabilities_len >=
- sizeof(struct ieee80211_ht_capabilities)) {
+ if (elems.ht_capabilities) {
struct ieee80211_ht_capabilities *ht_cap =
(struct ieee80211_ht_capabilities *)
elems.ht_capabilities;
diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 7b4ee18..3866ddf 100644
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -265,8 +265,9 @@
elems->timeout_int = pos;
break;
case WLAN_EID_HT_CAP:
+ if (elen < sizeof(struct ieee80211_ht_capabilities))
+ break;
elems->ht_capabilities = pos;
- elems->ht_capabilities_len = elen;
break;
case WLAN_EID_HT_OPERATION:
elems->ht_operation = pos;
diff --git a/src/common/ieee802_11_common.h b/src/common/ieee802_11_common.h
index a689e6b..5306783 100644
--- a/src/common/ieee802_11_common.h
+++ b/src/common/ieee802_11_common.h
@@ -61,7 +61,6 @@
u8 supp_channels_len;
u8 mdie_len;
u8 ftie_len;
- u8 ht_capabilities_len;
u8 ht_operation_len;
u8 mesh_config_len;
u8 mesh_id_len;
diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index c1d7749..490fcaa 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -1577,9 +1577,7 @@
static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
struct wpa_tdls_peer *peer)
{
- if (!kde->ht_capabilities ||
- kde->ht_capabilities_len <
- sizeof(struct ieee80211_ht_capabilities) ) {
+ if (!kde->ht_capabilities) {
wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
"received");
return 0;
diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index 5741a5b..ec3eab0 100644
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -553,9 +553,9 @@
} else if (*pos == WLAN_EID_EXT_SUPP_RATES) {
ie->ext_supp_rates = pos;
ie->ext_supp_rates_len = pos[1] + 2;
- } else if (*pos == WLAN_EID_HT_CAP) {
+ } else if (*pos == WLAN_EID_HT_CAP &&
+ pos[1] >= sizeof(struct ieee80211_ht_capabilities)) {
ie->ht_capabilities = pos + 2;
- ie->ht_capabilities_len = pos[1];
} else if (*pos == WLAN_EID_VHT_AID) {
if (pos[1] >= 2)
ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff;
diff --git a/src/rsn_supp/wpa_ie.h b/src/rsn_supp/wpa_ie.h
index 0fc42cc..edabfc7 100644
--- a/src/rsn_supp/wpa_ie.h
+++ b/src/rsn_supp/wpa_ie.h
@@ -50,7 +50,6 @@
const u8 *ext_supp_rates;
size_t ext_supp_rates_len;
const u8 *ht_capabilities;
- size_t ht_capabilities_len;
const u8 *vht_capabilities;
size_t vht_capabilities_len;
const u8 *supp_channels;
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 1d6f2be..b29b5ff 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -551,8 +551,7 @@
mesh_mpm_init_link(wpa_s, sta);
#ifdef CONFIG_IEEE80211N
- copy_sta_ht_capab(data, sta, elems->ht_capabilities,
- elems->ht_capabilities_len);
+ copy_sta_ht_capab(data, sta, elems->ht_capabilities);
update_ht_state(data, sta);
#endif /* CONFIG_IEEE80211N */