From 7ec8fd6776a60b2a102a089c6e09e8650905b462 Mon Sep 17 00:00:00 2001 From: Patrik Flykt Date: Mon, 5 Nov 2018 10:13:26 -0700 Subject: [PATCH] ie: Fix up broken Access Point with too many rates added According to the specification, Supported rates IE is supposed to have a maximum length of eight rate bytes. In the wild an Access Point is found to add 12 bytes of data instead of placing excess rate bytes in an Extended Rates IE. BSS: len 480 BSSID 44:39:C4:XX:XX:XX Probe Response: true TSF: 0 (0x0000000000000000) IEs: len 188 ... Supported rates: 1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0 11.0(B) 12.0(B) 18.0 Mbit/s 24.0(B) 36.0 48.0 54.0 Mbit/s 82 84 8b 8c 12 96 98 24 b0 48 60 6c .......$.H`l DSSS parameter set: channel 3 03 ... Any following IEs decode nicely, thus it seems that we can relax Supported Rates IE length handling to support this thermostat. --- src/ie.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/ie.c b/src/ie.c index e47c29dd..9fd0af5f 100644 --- a/src/ie.c +++ b/src/ie.c @@ -1371,8 +1371,7 @@ int ie_parse_supported_rates(struct ie_tlv_iter *iter, len = ie_tlv_iter_get_length(iter); - if (ie_tlv_iter_get_tag(iter) == IE_TYPE_SUPPORTED_RATES && - (len == 0 || len > 8)) + if (ie_tlv_iter_get_tag(iter) == IE_TYPE_SUPPORTED_RATES && len == 0) return -EINVAL; rates = ie_tlv_iter_get_data(iter);