aboutsummaryrefslogtreecommitdiffstats
path: root/src/rsn_supp
diff options
context:
space:
mode:
authorJouni Malinen <jouni.malinen@atheros.com>2011-04-13 22:14:22 +0300
committerJouni Malinen <j@w1.fi>2011-04-13 22:14:22 +0300
commita04bf77209ea23f5a86d0d075fd1cdae3479212c (patch)
tree61a3bedec3988659e1ecf274d00e1171a13d9c23 /src/rsn_supp
parent62c0d27ed313be1ed0ea178ca3d059ff97cd7ba5 (diff)
downloadexternal_wpa_supplicant_8_ti-a04bf77209ea23f5a86d0d075fd1cdae3479212c.zip
external_wpa_supplicant_8_ti-a04bf77209ea23f5a86d0d075fd1cdae3479212c.tar.gz
external_wpa_supplicant_8_ti-a04bf77209ea23f5a86d0d075fd1cdae3479212c.tar.bz2
TDLS: Validate FTIE length before processing it
This avoids reading past the end of the IE buffer should the FTIE be too short. In addition, one debug hexdump was using uninitialized pointer to the FTIE buffer, so fixed it to use the pointer from the parse data.
Diffstat (limited to 'src/rsn_supp')
-rw-r--r--src/rsn_supp/tdls.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 9133c9a..e751867 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -753,7 +753,7 @@ static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
goto skip_ftie;
- if (kde.ftie == NULL) {
+ if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
return -1;
}
@@ -1247,7 +1247,8 @@ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
goto skip_rsn;
}
- if (kde.ftie == NULL || kde.rsn_ie == NULL) {
+ if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
+ kde.rsn_ie == NULL) {
wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
status = WLAN_STATUS_INVALID_PARAMETERS;
goto error;
@@ -1558,7 +1559,8 @@ static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
goto skip_rsn;
}
- if (kde.ftie == NULL || kde.rsn_ie == NULL) {
+ if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
+ kde.rsn_ie == NULL) {
wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
status = WLAN_STATUS_INVALID_PARAMETERS;
goto error;
@@ -1727,12 +1729,12 @@ static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
if (!wpa_tdls_get_privacy(sm))
goto skip_rsn;
- if (kde.ftie == NULL) {
+ if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
return -1;
}
wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
- (u8 *) ftie, sizeof(*ftie));
+ kde.ftie, sizeof(*ftie));
ftie = (struct wpa_tdls_ftie *) kde.ftie;
if (kde.rsn_ie == NULL) {