mac80211: fix IBSS presp allocation size

commit f1f3e9e2a50a70de908f9dfe0d870e9cdc67e042 upstream. When VHT IBSS support was added, the size of the extra elements wasn't considered in ieee80211_ibss_build_presp(), which makes it possible that it would overrun the allocated buffer. Fix it by allocating the necessary space. Fixes: abcff6ef01f9 ("mac80211: add VHT support for IBSS") Reported-by: Shaul Triebitz <shaul.triebitz@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Johannes Berg <johannes.berg@intel.com> 2017-04-27 13:19:04 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-06-26 07:13:09 +0200
commit: daebcf9871eb2be387527e8c6cb23ad74dcb3b02 (patch)
tree: df2d8bb7f9c79bef9672b8c11e33ddc1f1e5eff1
parent: bb8428f4c954ae12e8874be18826e16ba96ad1c9 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index af5f3bb586ff..24ba31601fc9 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -66,6 +66,8 @@ ieee80211_ibss_build_presp(struct ieee80211_sub_if_data *sdata,
 		    2 + (IEEE80211_MAX_SUPP_RATES - 8) +
 		    2 + sizeof(struct ieee80211_ht_cap) +
 		    2 + sizeof(struct ieee80211_ht_operation) +
+		    2 + sizeof(struct ieee80211_vht_cap) +
+		    2 + sizeof(struct ieee80211_vht_operation) +
 		    ifibss->ie_len;
 	presp = kzalloc(sizeof(*presp) + frame_len, GFP_KERNEL);
 	if (!presp)
author	Johannes Berg <johannes.berg@intel.com>	2017-04-27 13:19:04 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-06-26 07:13:09 +0200
commit	daebcf9871eb2be387527e8c6cb23ad74dcb3b02 (patch)
tree	df2d8bb7f9c79bef9672b8c11e33ddc1f1e5eff1
parent	bb8428f4c954ae12e8874be18826e16ba96ad1c9 (diff)