iwinfo: improve center channel handling

- Improve iwinfo center channel struct position
- Prevent read beyond buffer on malformed data

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>

diff --git a/include/iwinfo.h b/include/iwinfo.h
index 5799c02be2c727cc7eccfa9f2fe8641c0302573c..40ef3a7b60246ac5399099208dafcf47c808eed7 100644 (file)
--- a/include/iwinfo.h
+++ b/include/iwinfo.h
@@ -255,6 +255,8 @@ struct iwinfo_ops {
        int (*probe)(const char *ifname);
        int (*mode)(const char *, int *);
        int (*channel)(const char *, int *);
+       int (*center_chan1)(const char *, int *);
+       int (*center_chan2)(const char *, int *);
        int (*frequency)(const char *, int *);
        int (*frequency_offset)(const char *, int *);
        int (*txpower)(const char *, int *);
@@ -283,8 +285,6 @@ struct iwinfo_ops {
        int (*survey)(const char *, char *, int *);
        int (*lookup_phy)(const char *, char *);
        void (*close)(void);
-       int (*center_chan1)(const char *, int *);
-       int (*center_chan2)(const char *, int *);
 };
 
 const char * iwinfo_type(const char *ifname);

diff --git a/iwinfo_nl80211.c b/iwinfo_nl80211.c
index 0a9421618617a87e5d0a3b91381cc7915c7c8b26..29bdc8c711fb088761058b6a54875e0a0e00f13b 100644 (file)
--- a/iwinfo_nl80211.c
+++ b/iwinfo_nl80211.c
@@ -2380,14 +2380,18 @@ static void nl80211_get_scanlist_ie(struct nlattr **bss,
                                                 IWINFO_CIPHER_TKIP, IWINFO_KMGMT_PSK);
                        break;
                case 61: /* HT oeration */
-                       e->ht_chan_info.primary_chan = ie[2];
-                       e->ht_chan_info.secondary_chan_off = ie[3] & 0x3;
-                       e->ht_chan_info.chan_width = (ie[4] & 0x4)>>2;
+                       if (ie[1] >= 3) {
+                               e->ht_chan_info.primary_chan = ie[2];
+                               e->ht_chan_info.secondary_chan_off = ie[3] & 0x3;
+                               e->ht_chan_info.chan_width = (ie[4] & 0x4)>>2;
+                       }
                        break;
                case 192: /* VHT operation */
-                       e->vht_chan_info.chan_width = ie[2];
-                       e->vht_chan_info.center_chan_1 = ie[3];
-                       e->vht_chan_info.center_chan_2 = ie[4];
+                       if (ie[1] >= 3) {
+                               e->vht_chan_info.chan_width = ie[2];
+                               e->vht_chan_info.center_chan_1 = ie[3];
+                               e->vht_chan_info.center_chan_2 = ie[4];
+                       }
                        break;
                }
 
@@ -3347,6 +3351,8 @@ const struct iwinfo_ops nl80211_ops = {
        .name             = "nl80211",
        .probe            = nl80211_probe,
        .channel          = nl80211_get_channel,
+       .center_chan1     = nl80211_get_center_chan1,
+       .center_chan2     = nl80211_get_center_chan2,
        .frequency        = nl80211_get_frequency,
        .frequency_offset = nl80211_get_frequency_offset,
        .txpower          = nl80211_get_txpower,
@@ -3375,7 +3381,5 @@ const struct iwinfo_ops nl80211_ops = {
        .countrylist      = nl80211_get_countrylist,
        .survey           = nl80211_get_survey,
        .lookup_phy       = nl80211_lookup_phyname,
-       .close            = nl80211_close,
-       .center_chan1     = nl80211_get_center_chan1,
-       .center_chan2     = nl80211_get_center_chan2
+       .close            = nl80211_close
 };