mac80211: fix mesh_add_rsn_ie IE finding loop

Previously, the code to copy the RSN IE from the mesh config would increment its pointer by one in the loop instead of by the element length, so there was the potential for mistaking another IE's data fields as the RSN IE. cfg80211_find_ie() exists, so just use that. Signed-off-by: N Bob Copeland <me@bobcopeland.com> Signed-off-by: N Johannes Berg <johannes.berg@intel.com>

mac80211: fix mesh_add_rsn_ie IE finding loop
Previously, the code to copy the RSN IE from the mesh config would increment its pointer by one in the loop instead of by the element length, so there was the potential for mistaking another IE's data fields as the RSN IE. cfg80211_find_ie() exists, so just use that. Signed-off-by: N Bob Copeland <me@bobcopeland.com> Signed-off-by: N Johannes Berg <johannes.berg@intel.com>
a40a8c17 · Bob Copeland · Johannes Berg · aee6499c · a40a8c17
隐藏空白更改
内联并排

Showing with 8 addition and 13 deletion

net/mac80211/mesh.c net/mac80211/mesh.c +8 -13

未找到文件。
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -366,20 +366,15 @@ int mesh_add_rsn_ie(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
 		return 0;

 	/* find RSN IE */
-	data = ifmsh->ie;
-	while (data < ifmsh->ie + ifmsh->ie_len) {
-		if (*data == WLAN_EID_RSN) {
-			len = data[1] + 2;
-			break;
-		}
-		data++;
-	}
+	data = cfg80211_find_ie(WLAN_EID_RSN, ifmsh->ie, ifmsh->ie_len);
+	if (!data)
+		return 0;

-	if (len) {
-		if (skb_tailroom(skb) < len)
-			return -ENOMEM;
-		memcpy(skb_put(skb, len), data, len);
-	}
+	len = data[1] + 2;
+
+	if (skb_tailroom(skb) < len)
+		return -ENOMEM;
+	memcpy(skb_put(skb, len), data, len);

 	return 0;
 }