TDLS: Work around interop issues with supported operating class

It looks like some deployed devices may send an invalid supported
operating class element (length = 0) in TDLS Setup messages. With
cfg80211, this results in the NL80211_CMD_SET_STATION command failing
due to an invalid argument (cfg80211 mandates supported operating
classes information to have a length of 2..253 octets).

Work around this interop issue by ignoring the Supported Operating Class
element if it has invalid length.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

src/rsn_supp/wpa_ie.c

@@ -522,8 +522,16 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
 			ie->supp_channels = pos + 2;
 			ie->supp_channels_len = pos[1];
 		} else if (*pos == WLAN_EID_SUPPORTED_OPERATING_CLASSES) {
-			ie->supp_oper_classes = pos + 2;
-			ie->supp_oper_classes_len = pos[1];
+			/*
+			 * The value of the Length field of the Supported
+			 * Operating Classes element is between 2 and 253.
+			 * Silently skip invalid elements to avoid interop
+			 * issues when trying to use the value.
+			 */
+			if (pos[1] >= 2 && pos[1] <= 253) {
+				ie->supp_oper_classes = pos + 2;
+				ie->supp_oper_classes_len = pos[1];
+			}
 		} else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
 			ret = wpa_parse_generic(pos, end, ie);
 			if (ret < 0)