FST: Avoid using pointer to mgmt->u.action.u.fst_action

Typecasting &mgmt->u.action.u.fst_action to a struct pointer for various FST Action frame payloads seemed to be triggering static analyzer warnings about bounds checking since sizeof(mgmt->u.action.u.fst_action) == 1 even though that is really a variable length structure. Try to avoid this by calculating the pointer for the beginning of the frame instead of variable length struct. (CID 125642) Change-Id: I4cc2bb64832a94517aa98d764fad76a487a0255b Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Git-commit: 6462e7387d558fa4a95e98e61d5d5cd35a2d7690 Git-repo: git://w1.fi/srv/git/hostap.git CRs-Fixed: 891455
author: Jouni Malinen <jouni@qca.qualcomm.com> 2015-07-17 20:37:15 +0300
committer: Linux Build Service Account <lnxbuild@localhost> 2015-10-06 03:19:48 -0600
commit: d2a162481d8e147ce87b52c8147e6cf6d45da9c1 (patch)
tree: a7c5c1e4e1d9315c18efd6e7c4ef4dac40e35492 /src/fst
parent: 7ce8d79d856dfab8d6d24174a4eb9f3a3dbe4c31 (diff)
download: android_external_wpa_supplicant_8-d2a162481d8e147ce87b52c8147e6cf6d45da9c1.tar.gz
android_external_wpa_supplicant_8-d2a162481d8e147ce87b52c8147e6cf6d45da9c1.tar.bz2
android_external_wpa_supplicant_8-d2a162481d8e147ce87b52c8147e6cf6d45da9c1.zip
1 files changed, 15 insertions, 10 deletions
diff --git a/src/fst/fst_session.c b/src/fst/fst_session.c
index ce6bdcc5..609fc9a4 100644
--- a/src/fst/fst_session.c
+++ b/src/fst/fst_session.c
@@ -359,8 +359,7 @@ static void fst_session_handle_setup_request(struct fst_iface *iface,
 					     size_t frame_len)
 {
 	struct fst_session *s;
-	const struct fst_setup_req *req =
-		(const struct fst_setup_req *) &mgmt->u.action.u.fst_action;
+	const struct fst_setup_req *req;
 	struct fst_iface *new_iface = NULL;
 	struct fst_group *g;
 	u8 new_iface_peer_addr[ETH_ALEN];
@@ -375,6 +374,8 @@ static void fst_session_handle_setup_request(struct fst_iface *iface,
 		return;
 	}
 	plen = frame_len - IEEE80211_HDRLEN - 1;
+	req = (const struct fst_setup_req *)
+		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
 
 	if (req->stie.new_band_id == req->stie.old_band_id) {
 		fst_printf_iface(iface, MSG_WARNING,
@@ -509,8 +510,7 @@ static void fst_session_handle_setup_response(struct fst_session *s,
 					      const struct ieee80211_mgmt *mgmt,
 					      size_t frame_len)
 {
-	const struct fst_setup_res *res =
-		(const struct fst_setup_res *) &mgmt->u.action.u.fst_action;
+	const struct fst_setup_res *res;
 	size_t plen = frame_len - IEEE80211_HDRLEN - 1;
 	enum hostapd_hw_mode hw_mode;
 	u8 channel;
@@ -537,6 +537,8 @@ static void fst_session_handle_setup_response(struct fst_session *s,
 				   "Too short FST Response dropped");
 		return;
 	}
+	res = (const struct fst_setup_res *)
+		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
 
 	if (res->dialog_token != s->data.pending_setup_req_dlgt)  {
 		fst_printf_session(s, MSG_WARNING,
@@ -604,8 +606,7 @@ static void fst_session_handle_tear_down(struct fst_session *s,
 					 const struct ieee80211_mgmt *mgmt,
 					 size_t frame_len)
 {
-	const struct fst_tear_down *td =
-		(const struct fst_tear_down *) &mgmt->u.action.u.fst_action;
+	const struct fst_tear_down *td;
 	size_t plen = frame_len - IEEE80211_HDRLEN - 1;
 	union fst_session_state_switch_extra evext = {
 		.to_initial = {
@@ -624,6 +625,8 @@ static void fst_session_handle_tear_down(struct fst_session *s,
 				   "Too short FST Tear Down dropped");
 		return;
 	}
+	td = (const struct fst_tear_down *)
+		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
 
 	if (le_to_host32(td->fsts_id) != s->data.fsts_id) {
 		fst_printf_siface(s, iface, MSG_WARNING,
@@ -643,8 +646,7 @@ static void fst_session_handle_ack_request(struct fst_session *s,
 					   const struct ieee80211_mgmt *mgmt,
 					   size_t frame_len)
 {
-	const struct fst_ack_req *req =
-		(const struct fst_ack_req *) &mgmt->u.action.u.fst_action;
+	const struct fst_ack_req *req;
 	size_t plen = frame_len - IEEE80211_HDRLEN - 1;
 	struct fst_ack_res res;
 	union fst_session_state_switch_extra evext = {
@@ -674,6 +676,8 @@ static void fst_session_handle_ack_request(struct fst_session *s,
 				   "Too short FST Ack Request dropped");
 		return;
 	}
+	req = (const struct fst_ack_req *)
+		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
 
 	if (le_to_host32(req->fsts_id) != s->data.fsts_id) {
 		fst_printf_siface(s, iface, MSG_WARNING,
@@ -706,8 +710,7 @@ fst_session_handle_ack_response(struct fst_session *s,
 				const struct ieee80211_mgmt *mgmt,
 				size_t frame_len)
 {
-	const struct fst_ack_res *res =
-		(const struct fst_ack_res *) &mgmt->u.action.u.fst_action;
+	const struct fst_ack_res *res;
 	size_t plen = frame_len - IEEE80211_HDRLEN - 1;
 	union fst_session_state_switch_extra evext = {
 		.to_initial = {
@@ -736,6 +739,8 @@ fst_session_handle_ack_response(struct fst_session *s,
 				   "Too short FST Ack Response dropped");
 		return;
 	}
+	res = (const struct fst_ack_res *)
+		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
 
 	if (le_to_host32(res->fsts_id) != s->data.fsts_id) {
 		fst_printf_siface(s, iface, MSG_ERROR,
author	Jouni Malinen <jouni@qca.qualcomm.com>	2015-07-17 20:37:15 +0300
committer	Linux Build Service Account <lnxbuild@localhost>	2015-10-06 03:19:48 -0600
commit	d2a162481d8e147ce87b52c8147e6cf6d45da9c1 (patch)
tree	a7c5c1e4e1d9315c18efd6e7c4ef4dac40e35492 /src/fst
parent	7ce8d79d856dfab8d6d24174a4eb9f3a3dbe4c31 (diff)
download	android_external_wpa_supplicant_8-d2a162481d8e147ce87b52c8147e6cf6d45da9c1.tar.gz android_external_wpa_supplicant_8-d2a162481d8e147ce87b52c8147e6cf6d45da9c1.tar.bz2 android_external_wpa_supplicant_8-d2a162481d8e147ce87b52c8147e6cf6d45da9c1.zip