TDLS: Work around interop issues with supported operating class

It looks like some deployed devices may send an invalid supported
operating class element (length = 0) in TDLS Setup messages. With
cfg80211, this results in the NL80211_CMD_SET_STATION command failing
due to an invalid argument (cfg80211 mandates supported operating
classes information to have a length of 2..253 octets).

Work around this interop issue by ignoring the Supported Operating Class
element if it has invalid length.

CRs-Fixed: 623628
Git-commit: 1578796a31b4a2d2f0e8a83cf0d714cf7763ddba
Git-repo : git://w1.fi/srv/git/hostap.git
Change-Id: I4d2db24bf365b46e567fc0cbdef1ea0626a093ea
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

1 files changed, 10 insertions, 2 deletions

diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index ab8d104d..e8a02aa9 100644
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -438,8 +438,16 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
 			ie->supp_channels = pos + 2;
 			ie->supp_channels_len = pos[1];
 		} else if (*pos == WLAN_EID_SUPPORTED_OPERATING_CLASSES) {
-			ie->supp_oper_classes = pos + 2;
-			ie->supp_oper_classes_len = pos[1];
+			/*
+			 * The value of the Length field of the Supported
+			 * Operating Classes element is between 2 and 253.
+			 * Silently skip invalid elements to avoid interop
+			 * issues when trying to use the value.
+			 */
+			if (pos[1] >= 2 && pos[1] <= 253) {
+				ie->supp_oper_classes = pos + 2;
+				ie->supp_oper_classes_len = pos[1];
+			}
 		} else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
 			ret = wpa_parse_generic(pos, end, ie);
 			if (ret < 0)