Simplify VHT Operation element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 85d6ca8..7843e6f 100644
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -292,8 +292,9 @@
elems->vht_capabilities = pos;
break;
case WLAN_EID_VHT_OPERATION:
+ if (elen < sizeof(struct ieee80211_vht_operation))
+ break;
elems->vht_operation = pos;
- elems->vht_operation_len = elen;
break;
case WLAN_EID_VHT_OPERATING_MODE_NOTIFICATION:
if (elen != 1)
diff --git a/src/common/ieee802_11_common.h b/src/common/ieee802_11_common.h
index 33e60b2..c84d8a7 100644
--- a/src/common/ieee802_11_common.h
+++ b/src/common/ieee802_11_common.h
@@ -64,7 +64,6 @@
u8 mesh_config_len;
u8 mesh_id_len;
u8 peer_mgmt_len;
- u8 vht_operation_len;
u8 vendor_ht_cap_len;
u8 vendor_vht_len;
u8 p2p_len;
