From f87c99c7874401bd5581b48ccf89a42eba360959 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 19 Apr 2015 16:32:01 +0300
Subject: [PATCH] Simplify DSSS Parameter Set element parsing

Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/ap/ap_list.c               | 2 +-
 src/ap/beacon.c                | 2 +-
 src/common/ieee802_11_common.c | 3 ++-
 src/common/ieee802_11_common.h | 1 -
 src/p2p/p2p_parse.c            | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/ap/ap_list.c b/src/ap/ap_list.c
index 04a56a95e..8cccd833a 100644
--- a/src/ap/ap_list.c
+++ b/src/ap/ap_list.c
@@ -198,7 +198,7 @@ void ap_list_process_beacon(struct hostapd_iface *iface,
 	else
 		ap->erp = -1;
 
-	if (elems->ds_params && elems->ds_params_len == 1)
+	if (elems->ds_params)
 		ap->channel = elems->ds_params[0];
 	else if (elems->ht_operation && elems->ht_operation_len >= 1)
 		ap->channel = elems->ht_operation[0];
diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index ad371f424..700985595 100644
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -588,7 +588,7 @@ void handle_probe_req(struct hostapd_data *hapd,
 	 * is less likely to see them (Probe Request frame sent on a
 	 * neighboring, but partially overlapping, channel).
 	 */
-	if (elems.ds_params && elems.ds_params_len == 1 &&
+	if (elems.ds_params &&
 	    hapd->iface->current_mode &&
 	    (hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G ||
 	     hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211B) &&
diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 350e95580..140f92070 100644
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -211,8 +211,9 @@ ParseRes ieee802_11_parse_elems(const u8 *start, size_t len,
 			elems->supp_rates_len = elen;
 			break;
 		case WLAN_EID_DS_PARAMS:
+			if (elen < 1)
+				break;
 			elems->ds_params = pos;
-			elems->ds_params_len = elen;
 			break;
 		case WLAN_EID_CF_PARAMS:
 		case WLAN_EID_TIM:
diff --git a/src/common/ieee802_11_common.h b/src/common/ieee802_11_common.h
index 7f0b296d2..0a71bc86f 100644
--- a/src/common/ieee802_11_common.h
+++ b/src/common/ieee802_11_common.h
@@ -51,7 +51,6 @@ struct ieee802_11_elems {
 
 	u8 ssid_len;
 	u8 supp_rates_len;
-	u8 ds_params_len;
 	u8 challenge_len;
 	u8 erp_info_len;
 	u8 ext_supp_rates_len;
diff --git a/src/p2p/p2p_parse.c b/src/p2p/p2p_parse.c
index def41ff51..980dddf12 100644
--- a/src/p2p/p2p_parse.c
+++ b/src/p2p/p2p_parse.c
@@ -516,7 +516,7 @@ int p2p_parse_ies(const u8 *data, size_t len, struct p2p_message *msg)
 	struct ieee802_11_elems elems;
 
 	ieee802_11_parse_elems(data, len, &elems, 0);
-	if (elems.ds_params && elems.ds_params_len >= 1)
+	if (elems.ds_params)
 		msg->ds_params = elems.ds_params;
 	if (elems.ssid)
 		msg->ssid = elems.ssid - 2;