mac80211: validate TIM IE length (redux)
The TIM IE must not be shorter than 4 bytes, so verify that
when parsing it and use the proper type. To ease that adjust
struct ieee80211_tim_ie to have a virtual bitmap of size
at least 1.
Also check that the TIM IE is actually present before trying
to parse it!
Because other people may need the function, make it a static
inline in ieee80211.h.
(The original "mac80211: validate TIM IE length" was a minimal fix for
2.6.30. This purports to be the full, correct fix. -- JWL)
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 53563d5..c52e7fb 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -540,7 +540,7 @@
u8 dtim_period;
u8 bitmap_ctrl;
/* variable size: 1 - 251 bytes */
- u8 virtual_map[0];
+ u8 virtual_map[1];
} __attribute__ ((packed));
#define WLAN_SA_QUERY_TR_ID_LEN 16
@@ -1392,4 +1392,34 @@
return 1024 * tu;
}
+/**
+ * ieee80211_check_tim - check if AID bit is set in TIM
+ * @tim: the TIM IE
+ * @tim_len: length of the TIM IE
+ * @aid: the AID to look for
+ */
+static inline bool ieee80211_check_tim(struct ieee80211_tim_ie *tim,
+ u8 tim_len, u16 aid)
+{
+ u8 mask;
+ u8 index, indexn1, indexn2;
+
+ if (unlikely(!tim || tim_len < sizeof(*tim)))
+ return false;
+
+ aid &= 0x3fff;
+ index = aid / 8;
+ mask = 1 << (aid & 7);
+
+ indexn1 = tim->bitmap_ctrl & 0xfe;
+ indexn2 = tim_len + indexn1 - 4;
+
+ if (index < indexn1 || index > indexn2)
+ return false;
+
+ index -= indexn1;
+
+ return !!(tim->virtual_map[index] & mask);
+}
+
#endif /* LINUX_IEEE80211_H */