TDLS: Work around interop issues with supported operating class

It looks like some deployed devices may send an invalid supported
operating class element (length = 0) in TDLS Setup messages. With
cfg80211, this results in the NL80211_CMD_SET_STATION command failing
due to an invalid argument (cfg80211 mandates supported operating
classes information to have a length of 2..253 octets).

Work around this interop issue by ignoring the Supported Operating Class
element if it has invalid length.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index 9c11183..610b65a 100644 (file)
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -522,8 +522,16 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
                        ie->supp_channels = pos + 2;
                        ie->supp_channels_len = pos[1];
                } else if (*pos == WLAN_EID_SUPPORTED_OPERATING_CLASSES) {
-                       ie->supp_oper_classes = pos + 2;
-                       ie->supp_oper_classes_len = pos[1];
+                       /*
+                        * The value of the Length field of the Supported
+                        * Operating Classes element is between 2 and 253.
+                        * Silently skip invalid elements to avoid interop
+                        * issues when trying to use the value.
+                        */
+                       if (pos[1] >= 2 && pos[1] <= 253) {
+                               ie->supp_oper_classes = pos + 2;
+                               ie->supp_oper_classes_len = pos[1];
+                       }
                } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
                        ret = wpa_parse_generic(pos, end, ie);
                        if (ret < 0)