312ca38ddd
This function was modified to support the information element extension
case (WLAN_EID_EXTENSION) in a manner that would result in an infinite
loop when going through set of IEs that include WLAN_EID_RIC_DATA and
contain an IE that is in the after_ric array. The only place where this
can currently happen is in mac80211 ieee80211_send_assoc() where
ieee80211_ie_split_ric() is called with after_ric[].
This can be triggered by valid data from user space nl80211
association/connect request (i.e., requiring GENL_UNS_ADMIN_PERM). The
only known application having an option to include WLAN_EID_RIC_DATA in
these requests is wpa_supplicant and it had a bug that prevented this
specific contents from being used (and because of that, not triggering
this kernel bug in an automated test case ap_ft_ric) and now that this
bug is fixed, it has a workaround to avoid this kernel issue.
WLAN_EID_RIC_DATA is currently used only for testing purposes, so this
does not cause significant harm for production use cases.
Fixes:
|
||
---|---|---|
.. | ||
certs | ||
.gitignore | ||
ap.c | ||
chan.c | ||
core.c | ||
core.h | ||
debugfs.c | ||
debugfs.h | ||
ethtool.c | ||
ibss.c | ||
Kconfig | ||
lib80211_crypt_ccmp.c | ||
lib80211_crypt_tkip.c | ||
lib80211_crypt_wep.c | ||
lib80211.c | ||
Makefile | ||
mesh.c | ||
mlme.c | ||
nl80211.c | ||
nl80211.h | ||
ocb.c | ||
of.c | ||
radiotap.c | ||
rdev-ops.h | ||
reg.c | ||
reg.h | ||
scan.c | ||
sme.c | ||
sysfs.c | ||
sysfs.h | ||
trace.c | ||
trace.h | ||
util.c | ||
wext-compat.c | ||
wext-compat.h | ||
wext-core.c | ||
wext-priv.c | ||
wext-proc.c | ||
wext-sme.c | ||
wext-spy.c |