ie: Fix up broken Access Point with too many rates added

According to the specification, Supported rates IE is supposed to have a maximum length of eight rate bytes. In the wild an Access Point is found to add 12 bytes of data instead of placing excess rate bytes in an Extended Rates IE. BSS: len 480 BSSID 44:39:C4:XX:XX:XX Probe Response: true TSF: 0 (0x0000000000000000) IEs: len 188 ... Supported rates: 1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0 11.0(B) 12.0(B) 18.0 Mbit/s 24.0(B) 36.0 48.0 54.0 Mbit/s 82 84 8b 8c 12 96 98 24 b0 48 60 6c .......$.H`l DSSS parameter set: channel 3 03 ... Any following IEs decode nicely, thus it seems that we can relax Supported Rates IE length handling to support this thermostat.
2018-11-05 10:13:26 -07:00 · 2018-11-05 10:13:26 -07:00 · 7ec8fd6776
parent c68ae2f00b
commit 7ec8fd6776
1 changed files with 1 additions and 2 deletions
--- a/src/ie.c
+++ b/src/ie.c
@ -1371,8 +1371,7 @@ int ie_parse_supported_rates(struct ie_tlv_iter *iter,

 	len = ie_tlv_iter_get_length(iter);

-	if (ie_tlv_iter_get_tag(iter) == IE_TYPE_SUPPORTED_RATES &&
-			(len == 0 || len > 8))
+	if (ie_tlv_iter_get_tag(iter) == IE_TYPE_SUPPORTED_RATES && len == 0)
 		return -EINVAL;

 	rates = ie_tlv_iter_get_data(iter);