mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-04 08:08:54 +00:00
cfg80211: fix the IE inheritance of extension IEs
Extension IEs have ID 255 followed by extension ID. Current code is buggy in handling it in two ways: 1. When checking if IE is in the frame, it uses just the ID, which for extension elements is too broad. 2. It uses 0xFF to mark copied IEs, which will result in not copying extension IEs from the subelement. Fix both issue. Signed-off-by: Sara Sharon <sara.sharon@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
parent
caf56338c2
commit
c17fe043a3
1 changed files with 13 additions and 7 deletions
|
@ -216,7 +216,13 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
tmp = (u8 *)cfg80211_find_ie(tmp_old[0], sub_copy, subie_len);
|
if (tmp_old[0] == WLAN_EID_EXTENSION)
|
||||||
|
tmp = (u8 *)cfg80211_find_ext_ie(tmp_old[2], sub_copy,
|
||||||
|
subie_len);
|
||||||
|
else
|
||||||
|
tmp = (u8 *)cfg80211_find_ie(tmp_old[0], sub_copy,
|
||||||
|
subie_len);
|
||||||
|
|
||||||
if (!tmp) {
|
if (!tmp) {
|
||||||
/* ie in old ie but not in subelement */
|
/* ie in old ie but not in subelement */
|
||||||
if (tmp_old[0] != WLAN_EID_MULTIPLE_BSSID) {
|
if (tmp_old[0] != WLAN_EID_MULTIPLE_BSSID) {
|
||||||
|
@ -226,8 +232,9 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
|
||||||
} else {
|
} else {
|
||||||
/* ie in transmitting ie also in subelement,
|
/* ie in transmitting ie also in subelement,
|
||||||
* copy from subelement and flag the ie in subelement
|
* copy from subelement and flag the ie in subelement
|
||||||
* as copied (by setting eid field to 0xff). For
|
* as copied (by setting eid field to WLAN_EID_SSID,
|
||||||
* vendor ie, compare OUI + type + subType to
|
* which is skipped anyway).
|
||||||
|
* For vendor ie, compare OUI + type + subType to
|
||||||
* determine if they are the same ie.
|
* determine if they are the same ie.
|
||||||
*/
|
*/
|
||||||
if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
|
if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
|
||||||
|
@ -237,7 +244,7 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
|
||||||
*/
|
*/
|
||||||
memcpy(pos, tmp, tmp[1] + 2);
|
memcpy(pos, tmp, tmp[1] + 2);
|
||||||
pos += tmp[1] + 2;
|
pos += tmp[1] + 2;
|
||||||
tmp[0] = 0xff;
|
tmp[0] = WLAN_EID_SSID;
|
||||||
} else {
|
} else {
|
||||||
memcpy(pos, tmp_old, tmp_old[1] + 2);
|
memcpy(pos, tmp_old, tmp_old[1] + 2);
|
||||||
pos += tmp_old[1] + 2;
|
pos += tmp_old[1] + 2;
|
||||||
|
@ -246,7 +253,7 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
|
||||||
/* copy ie from subelement into new ie */
|
/* copy ie from subelement into new ie */
|
||||||
memcpy(pos, tmp, tmp[1] + 2);
|
memcpy(pos, tmp, tmp[1] + 2);
|
||||||
pos += tmp[1] + 2;
|
pos += tmp[1] + 2;
|
||||||
tmp[0] = 0xff;
|
tmp[0] = WLAN_EID_SSID;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -263,8 +270,7 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
|
||||||
while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
|
while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
|
||||||
if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
|
if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
|
||||||
tmp_new[0] == WLAN_EID_SSID ||
|
tmp_new[0] == WLAN_EID_SSID ||
|
||||||
tmp_new[0] == WLAN_EID_MULTI_BSSID_IDX ||
|
tmp_new[0] == WLAN_EID_MULTI_BSSID_IDX)) {
|
||||||
tmp_new[0] == 0xff)) {
|
|
||||||
memcpy(pos, tmp_new, tmp_new[1] + 2);
|
memcpy(pos, tmp_new, tmp_new[1] + 2);
|
||||||
pos += tmp_new[1] + 2;
|
pos += tmp_new[1] + 2;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue