From: Johannes Berg <johannes.berg@intel.com>
Date: Thu, 3 Nov 2011 08:27:01 +0000 (+0100)
Subject: nl80211: fix HT capability attribute validation
X-Git-Tag: upstream/snapshot3+hdmi~8468^2^2~59
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6c7394197af90f6a332180e33f5d025d3037d883;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git

nl80211: fix HT capability attribute validation

Since the NL80211_ATTR_HT_CAPABILITY attribute is
used as a struct, it needs a minimum, not maximum
length. Enforce that properly. Not doing so could
potentially lead to reading after the buffer.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 48260c2..b587857 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -132,8 +132,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
 
-	[NL80211_ATTR_HT_CAPABILITY] = { .type = NLA_BINARY,
-					 .len = NL80211_HT_CAPABILITY_LEN },
+	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
 
 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,