Simplify VHT Capabilities element parsing

Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 12996775dc1d20ce3976643def8202b957982707..5b265584b55a4f689e5f2bd750aa77bbc2cfb307 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1295,8 +1295,7 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
 #endif /* CONFIG_IEEE80211N */
 
 #ifdef CONFIG_IEEE80211AC
-       resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities,
-                                 elems.vht_capabilities_len);
+       resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
        if (resp != WLAN_STATUS_SUCCESS)
                return resp;
 

diff --git a/src/ap/ieee802_11.h b/src/ap/ieee802_11.h
index a0972358d07de7c987a7a830a824037d246a8847..44c1bff364ac495b700a6ac4de97258f56e5c7d1 100644 (file)
--- a/src/ap/ieee802_11.h
+++ b/src/ap/ieee802_11.h
@@ -70,7 +70,7 @@ void update_ht_state(struct hostapd_data *hapd, struct sta_info *sta);
 void ht40_intolerant_add(struct hostapd_iface *iface, struct sta_info *sta);
 void ht40_intolerant_remove(struct hostapd_iface *iface, struct sta_info *sta);
 u16 copy_sta_vht_capab(struct hostapd_data *hapd, struct sta_info *sta,
-                      const u8 *vht_capab, size_t vht_capab_len);
+                      const u8 *vht_capab);
 u16 set_sta_vht_opmode(struct hostapd_data *hapd, struct sta_info *sta,
                       const u8 *vht_opmode);
 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,

diff --git a/src/ap/ieee802_11_vht.c b/src/ap/ieee802_11_vht.c
index 171538ad74a7a2c1379faa739de516367b34276d..5bf1b5d72002a8e0acc6bb5948795ab8c2bc5050 100644 (file)
--- a/src/ap/ieee802_11_vht.c
+++ b/src/ap/ieee802_11_vht.c
@@ -132,11 +132,10 @@ static int check_valid_vht_mcs(struct hostapd_hw_modes *mode,
 
 
 u16 copy_sta_vht_capab(struct hostapd_data *hapd, struct sta_info *sta,
-                      const u8 *vht_capab, size_t vht_capab_len)
+                      const u8 *vht_capab)
 {
        /* Disable VHT caps for STAs associated to no-VHT BSSes. */
        if (!vht_capab ||
-           vht_capab_len < sizeof(struct ieee80211_vht_capabilities) ||
            hapd->conf->disable_11ac ||
            !check_valid_vht_mcs(hapd->iface->current_mode, vht_capab)) {
                sta->flags &= ~WLAN_STA_VHT;

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 3866ddfe21b89f5455eb36e8012af6018ad2c1cf..922dea0aa2efa40d66365b8729635af8269bb5be 100644 (file)
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -286,8 +286,9 @@ ParseRes ieee802_11_parse_elems(const u8 *start, size_t len,
                        elems->peer_mgmt_len = elen;
                        break;
                case WLAN_EID_VHT_CAP:
+                       if (elen < sizeof(struct ieee80211_vht_capabilities))
+                               break;
                        elems->vht_capabilities = pos;
-                       elems->vht_capabilities_len = elen;
                        break;
                case WLAN_EID_VHT_OPERATION:
                        elems->vht_operation = pos;

diff --git a/src/common/ieee802_11_common.h b/src/common/ieee802_11_common.h
index 5306783e2e1acf32784158b19e61ead8446631cd..24e558ee740cc1b90ef1c2e4be1b57a19b724d7a 100644 (file)
--- a/src/common/ieee802_11_common.h
+++ b/src/common/ieee802_11_common.h
@@ -65,7 +65,6 @@ struct ieee802_11_elems {
        u8 mesh_config_len;
        u8 mesh_id_len;
        u8 peer_mgmt_len;
-       u8 vht_capabilities_len;
        u8 vht_operation_len;
        u8 vendor_ht_cap_len;
        u8 vendor_vht_len;

diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 490fcaa621621aefea73e7f3ecc96a15e689ce12..6b1df7119422140b15db0abd3fe2b95b5ddceff6 100644 (file)
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -1603,9 +1603,7 @@ static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
                              struct wpa_tdls_peer *peer)
 {
-       if (!kde->vht_capabilities ||
-           kde->vht_capabilities_len <
-           sizeof(struct ieee80211_vht_capabilities) ) {
+       if (!kde->vht_capabilities) {
                wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
                           "received");
                return 0;

diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index ec3eab0db0063726b2f0de19a0b5941bc6f58261..0c37b35c1ee1df83693db4247485629f08f5cef9 100644 (file)
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -559,9 +559,10 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
                } else if (*pos == WLAN_EID_VHT_AID) {
                        if (pos[1] >= 2)
                                ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff;
-               } else if (*pos == WLAN_EID_VHT_CAP) {
+               } else if (*pos == WLAN_EID_VHT_CAP &&
+                          pos[1] >= sizeof(struct ieee80211_vht_capabilities))
+               {
                        ie->vht_capabilities = pos + 2;
-                       ie->vht_capabilities_len = pos[1];
                } else if (*pos == WLAN_EID_QOS && pos[1] >= 1) {
                        ie->qosinfo = pos[2];
                } else if (*pos == WLAN_EID_SUPPORTED_CHANNELS) {

diff --git a/src/rsn_supp/wpa_ie.h b/src/rsn_supp/wpa_ie.h
index edabfc792c981e0125a3d57890a221a1470d6556..fe95af0abc5194c706ef1f113c9b782ae45a1a7b 100644 (file)
--- a/src/rsn_supp/wpa_ie.h
+++ b/src/rsn_supp/wpa_ie.h
@@ -51,7 +51,6 @@ struct wpa_eapol_ie_parse {
        size_t ext_supp_rates_len;
        const u8 *ht_capabilities;
        const u8 *vht_capabilities;
-       size_t vht_capabilities_len;
        const u8 *supp_channels;
        size_t supp_channels_len;
        const u8 *supp_oper_classes;