Simplify HT Capabilities element parsing

Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 507053e..80e4c2e 100644 (file)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -126,8 +126,6 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
 #ifdef CONFIG_IEEE80211N
 #ifdef NEED_AP_MLME
        if (elems.ht_capabilities &&
-           elems.ht_capabilities_len >=
-           sizeof(struct ieee80211_ht_capabilities) &&
            (hapd->iface->conf->ht_capab &
             HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) {
                struct ieee80211_ht_capabilities *ht_cap =

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index a7631e4..1299677 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1282,8 +1282,7 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
        if (resp != WLAN_STATUS_SUCCESS)
                return resp;
 #ifdef CONFIG_IEEE80211N
-       resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities,
-                                elems.ht_capabilities_len);
+       resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
        if (resp != WLAN_STATUS_SUCCESS)
                return resp;
        if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&

diff --git a/src/ap/ieee802_11.h b/src/ap/ieee802_11.h
index cc5e842..a097235 100644 (file)
--- a/src/ap/ieee802_11.h
+++ b/src/ap/ieee802_11.h
@@ -62,7 +62,7 @@ void hostapd_get_vht_capab(struct hostapd_data *hapd,
                           struct ieee80211_vht_capabilities *vht_cap,
                           struct ieee80211_vht_capabilities *neg_vht_cap);
 u16 copy_sta_ht_capab(struct hostapd_data *hapd, struct sta_info *sta,
-                     const u8 *ht_capab, size_t ht_capab_len);
+                     const u8 *ht_capab);
 u16 copy_sta_vendor_vht(struct hostapd_data *hapd, struct sta_info *sta,
                        const u8 *ie, size_t len);
 

diff --git a/src/ap/ieee802_11_ht.c b/src/ap/ieee802_11_ht.c
index 9dad8e3..11fde2a 100644 (file)
--- a/src/ap/ieee802_11_ht.c
+++ b/src/ap/ieee802_11_ht.c
@@ -310,7 +310,7 @@ void hostapd_2040_coex_action(struct hostapd_data *hapd,
 
 
 u16 copy_sta_ht_capab(struct hostapd_data *hapd, struct sta_info *sta,
-                     const u8 *ht_capab, size_t ht_capab_len)
+                     const u8 *ht_capab)
 {
        /*
         * Disable HT caps for STAs associated to no-HT BSSes, or for stations
@@ -318,7 +318,6 @@ u16 copy_sta_ht_capab(struct hostapd_data *hapd, struct sta_info *sta,
         * frame.
         */
        if (!ht_capab ||
-           ht_capab_len < sizeof(struct ieee80211_ht_capabilities) ||
            !(sta->flags & WLAN_STA_WMM) || hapd->conf->disable_11n) {
                sta->flags &= ~WLAN_STA_HT;
                os_free(sta->ht_capabilities);

diff --git a/src/common/hw_features_common.c b/src/common/hw_features_common.c
index 8d83de6..8f90fff 100644 (file)
--- a/src/common/hw_features_common.c
+++ b/src/common/hw_features_common.c
@@ -335,9 +335,7 @@ int check_40mhz_2g4(struct hostapd_hw_modes *mode,
 
                ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems,
                                       0);
-               if (elems.ht_capabilities &&
-                   elems.ht_capabilities_len >=
-                   sizeof(struct ieee80211_ht_capabilities)) {
+               if (elems.ht_capabilities) {
                        struct ieee80211_ht_capabilities *ht_cap =
                                (struct ieee80211_ht_capabilities *)
                                elems.ht_capabilities;

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 7b4ee18..3866ddf 100644 (file)
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -265,8 +265,9 @@ ParseRes ieee802_11_parse_elems(const u8 *start, size_t len,
                        elems->timeout_int = pos;
                        break;
                case WLAN_EID_HT_CAP:
+                       if (elen < sizeof(struct ieee80211_ht_capabilities))
+                               break;
                        elems->ht_capabilities = pos;
-                       elems->ht_capabilities_len = elen;
                        break;
                case WLAN_EID_HT_OPERATION:
                        elems->ht_operation = pos;

diff --git a/src/common/ieee802_11_common.h b/src/common/ieee802_11_common.h
index a689e6b..5306783 100644 (file)
--- a/src/common/ieee802_11_common.h
+++ b/src/common/ieee802_11_common.h
@@ -61,7 +61,6 @@ struct ieee802_11_elems {
        u8 supp_channels_len;
        u8 mdie_len;
        u8 ftie_len;
-       u8 ht_capabilities_len;
        u8 ht_operation_len;
        u8 mesh_config_len;
        u8 mesh_id_len;

diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index c1d7749..490fcaa 100644 (file)
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -1577,9 +1577,7 @@ static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
                              struct wpa_tdls_peer *peer)
 {
-       if (!kde->ht_capabilities ||
-           kde->ht_capabilities_len <
-           sizeof(struct ieee80211_ht_capabilities) ) {
+       if (!kde->ht_capabilities) {
                wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
                           "received");
                return 0;

diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index 5741a5b..ec3eab0 100644 (file)
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -553,9 +553,9 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
                } else if (*pos == WLAN_EID_EXT_SUPP_RATES) {
                        ie->ext_supp_rates = pos;
                        ie->ext_supp_rates_len = pos[1] + 2;
-               } else if (*pos == WLAN_EID_HT_CAP) {
+               } else if (*pos == WLAN_EID_HT_CAP &&
+                          pos[1] >= sizeof(struct ieee80211_ht_capabilities)) {
                        ie->ht_capabilities = pos + 2;
-                       ie->ht_capabilities_len = pos[1];
                } else if (*pos == WLAN_EID_VHT_AID) {
                        if (pos[1] >= 2)
                                ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff;

diff --git a/src/rsn_supp/wpa_ie.h b/src/rsn_supp/wpa_ie.h
index 0fc42cc..edabfc7 100644 (file)
--- a/src/rsn_supp/wpa_ie.h
+++ b/src/rsn_supp/wpa_ie.h
@@ -50,7 +50,6 @@ struct wpa_eapol_ie_parse {
        const u8 *ext_supp_rates;
        size_t ext_supp_rates_len;
        const u8 *ht_capabilities;
-       size_t ht_capabilities_len;
        const u8 *vht_capabilities;
        size_t vht_capabilities_len;
        const u8 *supp_channels;

diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 1d6f2be..b29b5ff 100644 (file)
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -551,8 +551,7 @@ static struct sta_info * mesh_mpm_add_peer(struct wpa_supplicant *wpa_s,
        mesh_mpm_init_link(wpa_s, sta);
 
 #ifdef CONFIG_IEEE80211N
-       copy_sta_ht_capab(data, sta, elems->ht_capabilities,
-                       elems->ht_capabilities_len);
+       copy_sta_ht_capab(data, sta, elems->ht_capabilities);
        update_ht_state(data, sta);
 #endif /* CONFIG_IEEE80211N */