From: Sunil Dutt Undekari <usdutt@qti.qualcomm.com>
Date: Tue, 25 Feb 2014 08:50:48 +0000 (+0530)
Subject: TDLS: Work around interop issues with supported operating class
X-Git-Tag: hostap_2_2~731
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1578796a31b4a2d2f0e8a83cf0d714cf7763ddba;p=thirdparty%2Fhostap.git

TDLS: Work around interop issues with supported operating class

It looks like some deployed devices may send an invalid supported
operating class element (length = 0) in TDLS Setup messages. With
cfg80211, this results in the NL80211_CMD_SET_STATION command failing
due to an invalid argument (cfg80211 mandates supported operating
classes information to have a length of 2..253 octets).

Work around this interop issue by ignoring the Supported Operating Class
element if it has invalid length.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index 9c1118395..610b65a84 100644
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -522,8 +522,16 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
 			ie->supp_channels = pos + 2;
 			ie->supp_channels_len = pos[1];
 		} else if (*pos == WLAN_EID_SUPPORTED_OPERATING_CLASSES) {
-			ie->supp_oper_classes = pos + 2;
-			ie->supp_oper_classes_len = pos[1];
+			/*
+			 * The value of the Length field of the Supported
+			 * Operating Classes element is between 2 and 253.
+			 * Silently skip invalid elements to avoid interop
+			 * issues when trying to use the value.
+			 */
+			if (pos[1] >= 2 && pos[1] <= 253) {
+				ie->supp_oper_classes = pos + 2;
+				ie->supp_oper_classes_len = pos[1];
+			}
 		} else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
 			ret = wpa_parse_generic(pos, end, ie);
 			if (ret < 0)