diff options
| author | Jouni Malinen <jouni@qca.qualcomm.com> | 2014-04-08 00:53:55 +0300 |
|---|---|---|
| committer | Steve Kondik <shade@chemlab.org> | 2014-06-12 14:08:47 -0700 |
| commit | 78013255355fa36d07fb93c5f401d6da4e5ea3c3 (patch) | |
| tree | 943daba7509c6760344dfc0ef15f7eaa16013d14 | |
| parent | e212bad50b1c4f225c87bee1c3b9ba81a4504773 (diff) | |
| download | android_external_wpa_supplicant_8-78013255355fa36d07fb93c5f401d6da4e5ea3c3.tar.gz android_external_wpa_supplicant_8-78013255355fa36d07fb93c5f401d6da4e5ea3c3.tar.bz2 android_external_wpa_supplicant_8-78013255355fa36d07fb93c5f401d6da4e5ea3c3.zip | |
WNM: Fix neighbor report subelement parser
Only the Neighbor Report element should be included here, so verify that
the element id matches. In addition, verify that each subelement has
valid length before using the data.
CRs-Fixed: 651033
Change-Id: I7179f4ab62f62864d13ef011dbf3a59156a2c7f1
Git-commit: 1aa6f953bb7b9093decc5817a2a7eaacf2eae61b
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
| -rw-r--r-- | src/common/ieee802_11_defs.h | 1 | ||||
| -rw-r--r-- | wpa_supplicant/wnm_sta.c | 19 |
2 files changed, 15 insertions, 5 deletions
diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h index eec1a2e8..e8550ded 100644 --- a/src/common/ieee802_11_defs.h +++ b/src/common/ieee802_11_defs.h @@ -221,6 +221,7 @@ #define WLAN_EID_QOS 46 #define WLAN_EID_RSN 48 #define WLAN_EID_EXT_SUPP_RATES 50 +#define WLAN_EID_NEIGHBOR_REPORT 52 #define WLAN_EID_MOBILITY_DOMAIN 54 #define WLAN_EID_FAST_BSS_TRANSITION 55 #define WLAN_EID_TIMEOUT_INTERVAL 56 diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c index 5731cbd5..52dc3c8c 100644 --- a/wpa_supplicant/wnm_sta.c +++ b/wpa_supplicant/wnm_sta.c @@ -456,8 +456,15 @@ static void wnm_parse_neighbor_report(struct wpa_supplicant *wpa_s, id = *pos++; elen = *pos++; + wpa_printf(MSG_DEBUG, "WNM: Subelement id=%u len=%u", id, elen); + left -= 2; + if (elen > left) { + wpa_printf(MSG_DEBUG, + "WNM: Truncated neighbor report subelement"); + break; + } wnm_parse_neighbor_report_elem(rep, id, elen, pos); - left -= 2 + elen; + left -= elen; pos += elen; } } @@ -671,10 +678,12 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s, wpa_printf(MSG_DEBUG, "WNM: Truncated request"); return; } - wnm_parse_neighbor_report( - wpa_s, pos, len, - &wpa_s->wnm_neighbor_report_elements[ - wpa_s->wnm_num_neighbor_report]); + if (tag == WLAN_EID_NEIGHBOR_REPORT) { + struct neighbor_report *rep; + rep = &wpa_s->wnm_neighbor_report_elements[ + wpa_s->wnm_num_neighbor_report]; + wnm_parse_neighbor_report(wpa_s, pos, len, rep); + } pos += len; wpa_s->wnm_num_neighbor_report++; |