mac80211: fix mesh_add_rsn_ie IE finding loop

Previously, the code to copy the RSN IE from the mesh config would increment its pointer by one in the loop instead of by the element length, so there was the potential for mistaking another IE's data fields as the RSN IE. cfg80211_find_ie() exists, so just use that. Signed-off-by: Bob Copeland <me@bobcopeland.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Bob Copeland <me@bobcopeland.com> 2014-04-15 14:43:07 (GMT)
committer: Johannes Berg <johannes.berg@intel.com> 2014-04-22 15:24:49 (GMT)
commit: a40a8c17b22ea0ce6d54c04a2e77630768691338 (patch)
tree: c146ae7436f4ba1676b5b5515ad6371b6503f52d /net
parent: aee6499c8c6d0d1bc75cbae51f89c4d35a5aaa1f (diff)
download: linux-a40a8c17b22ea0ce6d54c04a2e77630768691338.tar.xz
1 files changed, 8 insertions, 13 deletions
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 9d29237..b06ddc9 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -366,20 +366,15 @@ int mesh_add_rsn_ie(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
 		return 0;
 
 	/* find RSN IE */
-	data = ifmsh->ie;
-	while (data < ifmsh->ie + ifmsh->ie_len) {
-		if (*data == WLAN_EID_RSN) {
-			len = data[1] + 2;
-			break;
-		}
-		data++;
-	}
+	data = cfg80211_find_ie(WLAN_EID_RSN, ifmsh->ie, ifmsh->ie_len);
+	if (!data)
+		return 0;
 
-	if (len) {
-		if (skb_tailroom(skb) < len)
-			return -ENOMEM;
-		memcpy(skb_put(skb, len), data, len);
-	}
+	len = data[1] + 2;
+
+	if (skb_tailroom(skb) < len)
+		return -ENOMEM;
+	memcpy(skb_put(skb, len), data, len);
 
 	return 0;
 }
author	Bob Copeland <me@bobcopeland.com>	2014-04-15 14:43:07 (GMT)
committer	Johannes Berg <johannes.berg@intel.com>	2014-04-22 15:24:49 (GMT)
commit	a40a8c17b22ea0ce6d54c04a2e77630768691338 (patch)
tree	c146ae7436f4ba1676b5b5515ad6371b6503f52d /net
parent	aee6499c8c6d0d1bc75cbae51f89c4d35a5aaa1f (diff)
download	linux-a40a8c17b22ea0ce6d54c04a2e77630768691338.tar.xz