[PATCH] b43: Fix tim search buffer overrun

[PATCH] b43: Fix tim search buffer overrun

[Michael Buesch]

Use the length of the variable section of the beacon instead of the
whole beacon length for bounds checking.

Signed-off-by: Michael Buesch <mb@bu3sch.de>

Index: wireless-2.6/drivers/net/wireless/b43/main.c
===================================================================
--- wireless-2.6.orig/drivers/net/wireless/b43/main.c	2007-12-26 18:20:38.000000000 +0100
+++ wireless-2.6/drivers/net/wireless/b43/main.c	2007-12-27 22:05:07.000000000 +0100
@@ -1161,7 +1161,7 @@ static void b43_write_beacon_template(st
 				      u16 ram_offset,
 				      u16 shm_size_offset, u8 rate)
 {
-	int i, len;
+	unsigned int i, len, variable_len;
 	const struct ieee80211_mgmt *bcn;
 	const u8 *ie;
 	bool tim_found = 0;
@@ -1176,7 +1176,8 @@ static void b43_write_beacon_template(st
 	/* Find the position of the TIM and the DTIM_period value
 	 * and write them to SHM. */
 	ie = bcn->u.beacon.variable;
-	for (i = 0; i < len - 2; ) {
+	variable_len = len - offsetof(struct ieee80211_mgmt, u.beacon.variable);
+	for (i = 0; i < variable_len - 2; ) {
 		uint8_t ie_id, ie_len;
 
 		ie_id = ie[i];
@@ -1187,7 +1188,7 @@ static void b43_write_beacon_template(st
 			/* This is the TIM Information Element */
 
 			/* Check whether the ie_len is in the beacon data range. */
-			if (len < ie_len + 2 + i)
+			if (variable_len < ie_len + 2 + i)
 				break;
 			/* A valid TIM is at least 4 bytes long. */
 			if (ie_len < 4)