From 05e5e88373d91c75e9262a3f984be511960e510d Mon Sep 17 00:00:00 2001
From: Luis Carlos Cobo <luisca@cozybit.com>
Date: Mon, 31 Mar 2008 16:00:13 -0700
Subject: [PATCH] mac80211: check for mesh_config length on incoming management
 frames

Signed-off-by: Luis Carlos Cobo <luisca@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 net/mac80211/ieee80211_sta.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/ieee80211_sta.c b/net/mac80211/ieee80211_sta.c
index 152682d..927ffbf 100644
--- a/net/mac80211/ieee80211_sta.c
+++ b/net/mac80211/ieee80211_sta.c
@@ -2150,11 +2150,14 @@ ieee80211_rx_mesh_bss_get(struct net_device *dev, u8 *mesh_id, int mesh_id_len,
 
 static struct ieee80211_sta_bss *
 ieee80211_rx_mesh_bss_add(struct net_device *dev, u8 *mesh_id, int mesh_id_len,
-			  u8 *mesh_cfg, int freq)
+			  u8 *mesh_cfg, int mesh_config_len, int freq)
 {
 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
 	struct ieee80211_sta_bss *bss;
 
+	if (mesh_config_len != MESH_CFG_LEN)
+		return NULL;
+
 	bss = kzalloc(sizeof(*bss), GFP_ATOMIC);
 	if (!bss)
 		return NULL;
@@ -2528,7 +2531,8 @@ static void ieee80211_rx_bss_info(struct net_device *dev,
 #ifdef CONFIG_MAC80211_MESH
 		if (elems.mesh_config)
 			bss = ieee80211_rx_mesh_bss_add(dev, elems.mesh_id,
-				elems.mesh_id_len, elems.mesh_config, freq);
+				elems.mesh_id_len, elems.mesh_config,
+				elems.mesh_config_len, freq);
 		else
 #endif
 			bss = ieee80211_rx_bss_add(dev, mgmt->bssid, freq,
-- 
2.7.4