|
|
@@ -954,7 +954,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
|
|
|
|
|
|
switch (elem->data[0]) {
|
|
|
case WLAN_EID_EXT_HE_MU_EDCA:
|
|
|
- if (len == sizeof(*elems->mu_edca_param_set)) {
|
|
|
+ if (len >= sizeof(*elems->mu_edca_param_set)) {
|
|
|
elems->mu_edca_param_set = data;
|
|
|
if (crc)
|
|
|
*crc = crc32_be(*crc, (void *)elem,
|
|
|
@@ -975,7 +975,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
|
|
|
}
|
|
|
break;
|
|
|
case WLAN_EID_EXT_UORA:
|
|
|
- if (len == 1)
|
|
|
+ if (len >= 1)
|
|
|
elems->uora_element = data;
|
|
|
break;
|
|
|
case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
|
|
|
@@ -983,7 +983,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
|
|
|
elems->max_channel_switch_time = data;
|
|
|
break;
|
|
|
case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
|
|
|
- if (len == sizeof(*elems->mbssid_config_ie))
|
|
|
+ if (len >= sizeof(*elems->mbssid_config_ie))
|
|
|
elems->mbssid_config_ie = data;
|
|
|
break;
|
|
|
case WLAN_EID_EXT_HE_SPR:
|
|
|
@@ -992,7 +992,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
|
|
|
elems->he_spr = data;
|
|
|
break;
|
|
|
case WLAN_EID_EXT_HE_6GHZ_CAPA:
|
|
|
- if (len == sizeof(*elems->he_6ghz_capa))
|
|
|
+ if (len >= sizeof(*elems->he_6ghz_capa))
|
|
|
elems->he_6ghz_capa = data;
|
|
|
break;
|
|
|
}
|
|
|
@@ -1081,14 +1081,14 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
|
|
|
|
|
|
switch (id) {
|
|
|
case WLAN_EID_LINK_ID:
|
|
|
- if (elen + 2 != sizeof(struct ieee80211_tdls_lnkie)) {
|
|
|
+ if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) {
|
|
|
elem_parse_failed = true;
|
|
|
break;
|
|
|
}
|
|
|
elems->lnk_id = (void *)(pos - 2);
|
|
|
break;
|
|
|
case WLAN_EID_CHAN_SWITCH_TIMING:
|
|
|
- if (elen != sizeof(struct ieee80211_ch_switch_timing)) {
|
|
|
+ if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
|
|
|
elem_parse_failed = true;
|
|
|
break;
|
|
|
}
|
|
|
@@ -1251,7 +1251,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
|
|
|
elems->sec_chan_offs = (void *)pos;
|
|
|
break;
|
|
|
case WLAN_EID_CHAN_SWITCH_PARAM:
|
|
|
- if (elen !=
|
|
|
+ if (elen <
|
|
|
sizeof(*elems->mesh_chansw_params_ie)) {
|
|
|
elem_parse_failed = true;
|
|
|
break;
|
|
|
@@ -1260,7 +1260,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
|
|
|
break;
|
|
|
case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
|
|
|
if (!action ||
|
|
|
- elen != sizeof(*elems->wide_bw_chansw_ie)) {
|
|
|
+ elen < sizeof(*elems->wide_bw_chansw_ie)) {
|
|
|
elem_parse_failed = true;
|
|
|
break;
|
|
|
}
|
|
|
@@ -1279,7 +1279,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
|
|
|
ie = cfg80211_find_ie(WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
|
|
|
pos, elen);
|
|
|
if (ie) {
|
|
|
- if (ie[1] == sizeof(*elems->wide_bw_chansw_ie))
|
|
|
+ if (ie[1] >= sizeof(*elems->wide_bw_chansw_ie))
|
|
|
elems->wide_bw_chansw_ie =
|
|
|
(void *)(ie + 2);
|
|
|
else
|
|
|
@@ -1323,7 +1323,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
|
|
|
elems->cisco_dtpc_elem = pos;
|
|
|
break;
|
|
|
case WLAN_EID_ADDBA_EXT:
|
|
|
- if (elen != sizeof(struct ieee80211_addba_ext_ie)) {
|
|
|
+ if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
|
|
|
elem_parse_failed = true;
|
|
|
break;
|
|
|
}
|
|
|
@@ -1349,7 +1349,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
|
|
|
elem, elems);
|
|
|
break;
|
|
|
case WLAN_EID_S1G_CAPABILITIES:
|
|
|
- if (elen == sizeof(*elems->s1g_capab))
|
|
|
+ if (elen >= sizeof(*elems->s1g_capab))
|
|
|
elems->s1g_capab = (void *)pos;
|
|
|
else
|
|
|
elem_parse_failed = true;
|
Johannes Berg