Cumulative security patch from commit ca68a8b561c48393c8ba25055ce294caaa3ac008

ca68a8b WPS: Explicitly reject Public Key attribute with unexpected length
6b94f71 WPS: Truncate variable length string attributes to maximum length
f4b64c6 Simplify VHT Operation element parsing
d6fefd6 Simplify HT Operation element parsing
40baac0 Simplify VHT Capabilities element parsing
baae4cb Simplify HT Capabilities element parsing
b39a059 Simplify Timeout Interval element parsing
e8997b9 Simplify ERP element parsing
f87c99c Simplify DSSS Parameter Set element parsing
ae7a42b FT: Check FT, MD, and Timeout Interval length in the parser
c9bf7b6 Fix a memory leak on mesh_attr_text() error path
2531036 FT: Fix WMM TSPEC validation in driver-based AP MLME case
632931c P2P: Use WPS_SEC_DEV_TYPE_MAX_LEN in P2P array definition
0f5acfb Use common is_ctrl_char() helper function
5a041ac WPS: Ignore too long SSID attribute
d6c3067 Replace SSID_LEN with SSID_MAX_LEN
eaa8eef Replace MAX_SSID_LEN with SSID_MAX_LEN
81847c2 Replace HOSTAPD_MAX_SSID_LEN with SSID_MAX_LEN
6fb761c Replace WPA_MAX_SSID_LEN with SSID_MAX_LEN
d9d1b95 Use SSID_MAX_LEN define instead of value 32 when comparing SSID length
65b1025 WPS: Ignore too long Device Name attribute
cc6f243 Add WPS_DEV_NAME_MAX_LEN define and use it when comparing length
dd3d857 P2PS: Check for maximum SSID length in Persistent Group Info
05e46a9 Ignore too long SSID element value in parser
90758f0 Mark QCA vendor command id 53 reserved, but not used anymore
f41ded6 Remove unused leftover from multi-SSID design
cb71a83 OpenSSL: Clean up TLS PRF implementation
7f90a23 Add QCA vendor subcmd for OCB
897418a eap_example: Fix configuration by added DH parameters

Change-Id: If688231edfce41163ef0c1f0ad75291a9bdfbe81
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

4 files changed, 36 insertions, 17 deletions

diff --git a/src/rsn_supp/Makefile b/src/rsn_supp/Makefile
index adfd3dfd..d5e61fe7 100644
--- a/src/rsn_supp/Makefile
+++ b/src/rsn_supp/Makefile
@@ -1,8 +1,30 @@
-all:
-	@echo Nothing to be made.
+all: librsn_supp.a
 
 clean:
-	rm -f *~ *.o *.d *.gcno *.gcda *.gcov
+	rm -f *~ *.o *.d *.gcno *.gcda *.gcov librsn_supp.a
 
 install:
 	@echo Nothing to be made.
+
+include ../lib.rules
+
+CFLAGS += -DCONFIG_IEEE80211W
+CFLAGS += -DCONFIG_IEEE80211R
+CFLAGS += -DCONFIG_PEERKEY
+CFLAGS += -DCONFIG_TDLS
+CFLAGS += -DCONFIG_WNM
+CFLAGS += -DIEEE8021X_EAPOL
+
+LIB_OBJS= \
+	pmksa_cache.o \
+	wpa_ft.o \
+	peerkey.o \
+	tdls.o \
+	preauth.o \
+	wpa.o \
+	wpa_ie.o
+
+librsn_supp.a: $(LIB_OBJS)
+	$(AR) crT $@ $?
+
+-include $(OBJS:%.o=%.d)
diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index c1d77491..6b1df711 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -1577,9 +1577,7 @@ static int copy_supp_rates(const struct wpa_eapol_ie_parse *kde,
 static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
 			      struct wpa_tdls_peer *peer)
 {
-	if (!kde->ht_capabilities ||
-	    kde->ht_capabilities_len <
-	    sizeof(struct ieee80211_ht_capabilities) ) {
+	if (!kde->ht_capabilities) {
 		wpa_printf(MSG_DEBUG, "TDLS: No supported ht capabilities "
 			   "received");
 		return 0;
@@ -1605,9 +1603,7 @@ static int copy_peer_ht_capab(const struct wpa_eapol_ie_parse *kde,
 static int copy_peer_vht_capab(const struct wpa_eapol_ie_parse *kde,
 			      struct wpa_tdls_peer *peer)
 {
-	if (!kde->vht_capabilities ||
-	    kde->vht_capabilities_len <
-	    sizeof(struct ieee80211_vht_capabilities) ) {
+	if (!kde->vht_capabilities) {
 		wpa_printf(MSG_DEBUG, "TDLS: No supported vht capabilities "
 			   "received");
 		return 0;
diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index 0d96216d..0c37b35c 100644
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -511,12 +511,14 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
 			ie->rsn_ie_len = pos[1] + 2;
 			wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
 				    ie->rsn_ie, ie->rsn_ie_len);
-		} else if (*pos == WLAN_EID_MOBILITY_DOMAIN) {
+		} else if (*pos == WLAN_EID_MOBILITY_DOMAIN &&
+			   pos[1] >= sizeof(struct rsn_mdie)) {
 			ie->mdie = pos;
 			ie->mdie_len = pos[1] + 2;
 			wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
 				    ie->mdie, ie->mdie_len);
-		} else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) {
+		} else if (*pos == WLAN_EID_FAST_BSS_TRANSITION &&
+			   pos[1] >= sizeof(struct rsn_ftie)) {
 			ie->ftie = pos;
 			ie->ftie_len = pos[1] + 2;
 			wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",
@@ -551,15 +553,16 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
 		} else if (*pos == WLAN_EID_EXT_SUPP_RATES) {
 			ie->ext_supp_rates = pos;
 			ie->ext_supp_rates_len = pos[1] + 2;
-		} else if (*pos == WLAN_EID_HT_CAP) {
+		} else if (*pos == WLAN_EID_HT_CAP &&
+			   pos[1] >= sizeof(struct ieee80211_ht_capabilities)) {
 			ie->ht_capabilities = pos + 2;
-			ie->ht_capabilities_len = pos[1];
 		} else if (*pos == WLAN_EID_VHT_AID) {
 			if (pos[1] >= 2)
 				ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff;
-		} else if (*pos == WLAN_EID_VHT_CAP) {
+		} else if (*pos == WLAN_EID_VHT_CAP &&
+			   pos[1] >= sizeof(struct ieee80211_vht_capabilities))
+		{
 			ie->vht_capabilities = pos + 2;
-			ie->vht_capabilities_len = pos[1];
 		} else if (*pos == WLAN_EID_QOS && pos[1] >= 1) {
 			ie->qosinfo = pos[2];
 		} else if (*pos == WLAN_EID_SUPPORTED_CHANNELS) {
diff --git a/src/rsn_supp/wpa_ie.h b/src/rsn_supp/wpa_ie.h
index 0fc42cc4..fe95af0a 100644
--- a/src/rsn_supp/wpa_ie.h
+++ b/src/rsn_supp/wpa_ie.h
@@ -50,9 +50,7 @@ struct wpa_eapol_ie_parse {
 	const u8 *ext_supp_rates;
 	size_t ext_supp_rates_len;
 	const u8 *ht_capabilities;
-	size_t ht_capabilities_len;
 	const u8 *vht_capabilities;
-	size_t vht_capabilities_len;
 	const u8 *supp_channels;
 	size_t supp_channels_len;
 	const u8 *supp_oper_classes;