diff mbox series

HE: Consider the dynamic length of the mcs_nss and ppet fields of HE Capability IE

Message ID 1561468597-6282-1-git-send-email-shay.bar@celeno.com
State Superseded
Headers show
Series HE: Consider the dynamic length of the mcs_nss and ppet fields of HE Capability IE | expand

Commit Message

Shay Bar June 25, 2019, 1:17 p.m. UTC 
he_capab_len is always greater than sizeof(struct ieee80211_he_capabilities) because of the dynamic mcs_nss and ppet fields.
Thus, the validity check in copy_sta_he_capab will always fail and he_capab will never be parsed.
Fix is to validate that he_capab_len is not greater than the maximum HE Capability IE size and use the actual he_capab_len to parse the he_capab.
Also, take these fields into consideration in beacon.c
---
 src/ap/beacon.c        |  4 ++++
 src/ap/ieee802_11_he.c | 10 ++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

--
1.9.1
diff mbox series

Patch

diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index a51b949..98efb45 100644
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -397,6 +397,8 @@  static u8 * hostapd_gen_probe_resp(struct hostapd_data *hapd,
 #ifdef CONFIG_IEEE80211AX
 if (hapd->iconf->ieee80211ax) {
 buflen += 3 + sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE +
 3 + sizeof(struct ieee80211_he_operation) +
 3 + sizeof(struct ieee80211_he_mu_edca_parameter_set) +
 3 + sizeof(struct ieee80211_spatial_reuse);
@@ -1089,6 +1091,8 @@  int ieee802_11_build_ap_params(struct hostapd_data *hapd,
 #ifdef CONFIG_IEEE80211AX
 if (hapd->iconf->ieee80211ax) {
 tail_len += 3 + sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE +
 3 + sizeof(struct ieee80211_he_operation) +
 3 + sizeof(struct ieee80211_he_mu_edca_parameter_set) +
 3 + sizeof(struct ieee80211_spatial_reuse);
diff --git a/src/ap/ieee802_11_he.c b/src/ap/ieee802_11_he.c
index a51f3fc..a7a74f0 100644
--- a/src/ap/ieee802_11_he.c
+++ b/src/ap/ieee802_11_he.c
@@ -323,9 +323,12 @@  u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
       enum ieee80211_op_mode opmode, const u8 *he_capab,
       size_t he_capab_len)
 {
+size_t he_capab_max_len = sizeof(struct ieee80211_he_capabilities) +
+HE_MAX_MCS_CAPAB_SIZE +
+HE_MAX_PPET_CAPAB_SIZE;
 if (!he_capab || !hapd->iconf->ieee80211ax ||
     !check_valid_he_mcs(hapd, he_capab, opmode) ||
-    he_capab_len > sizeof(struct ieee80211_he_capabilities)) {
+    he_capab_len > he_capab_max_len) {
 sta->flags &= ~WLAN_STA_HE;
 os_free(sta->he_capab);
 sta->he_capab = NULL;
@@ -333,14 +336,13 @@  u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
 }

 if (!sta->he_capab) {
-sta->he_capab =
-os_zalloc(sizeof(struct ieee80211_he_capabilities));
+sta->he_capab =os_zalloc(he_capab_len);
 if (!sta->he_capab)
 return WLAN_STATUS_UNSPECIFIED_FAILURE;
 }

 sta->flags |= WLAN_STA_HE;
-os_memset(sta->he_capab, 0, sizeof(struct ieee80211_he_capabilities));
+os_memset(sta->he_capab, 0, he_capab_len);
 os_memcpy(sta->he_capab, he_capab, he_capab_len);
 sta->he_capab_len = he_capab_len;