From: Johannes Berg <johannes.berg@intel.com>
Date: Thu, 27 Apr 2017 11:19:04 +0000 (+0200)
Subject: mac80211: fix IBSS presp allocation size
X-Git-Tag: release-20171130_firefly~4^2~100^2~1^2~1^2~52
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=daebcf9871eb2be387527e8c6cb23ad74dcb3b02;p=firefly-linux-kernel-4.4.55.git

mac80211: fix IBSS presp allocation size

commit f1f3e9e2a50a70de908f9dfe0d870e9cdc67e042 upstream.

When VHT IBSS support was added, the size of the extra elements
wasn't considered in ieee80211_ibss_build_presp(), which makes
it possible that it would overrun the allocated buffer. Fix it
by allocating the necessary space.

Fixes: abcff6ef01f9 ("mac80211: add VHT support for IBSS")
Reported-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index af5f3bb586ff..24ba31601fc9 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -66,6 +66,8 @@ ieee80211_ibss_build_presp(struct ieee80211_sub_if_data *sdata,
 		    2 + (IEEE80211_MAX_SUPP_RATES - 8) +
 		    2 + sizeof(struct ieee80211_ht_cap) +
 		    2 + sizeof(struct ieee80211_ht_operation) +
+		    2 + sizeof(struct ieee80211_vht_cap) +
+		    2 + sizeof(struct ieee80211_vht_operation) +
 		    ifibss->ie_len;
 	presp = kzalloc(sizeof(*presp) + frame_len, GFP_KERNEL);
 	if (!presp)