DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

FST: More robust bounds checking of local data in fst_dump_mb_ies()

Browse source 
Check the full MBIE length against the buffer length explicitly before
the debug print. This is for locally generated data, so the bounds
checking is not critical here, but it is better to use proper checking
anyway to avoid static analyzer complaints.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2022-05-08 17:18:58 +03:00
parent 63eb98a8ee
commit 1739d50c20
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/fst/fst_group.c
View file

@ -28,8 +28,13 @@ static void fst_dump_mb_ies(const char *group_id, const char *ifname,
while (s >= 2) {
const struct multi_band_ie *mbie =
(const struct multi_band_ie *) p;
size_t len;
WPA_ASSERT(mbie->eid == WLAN_EID_MULTI_BAND);
WPA_ASSERT(2U + mbie->len >= sizeof(*mbie));
len = 2 + mbie->len;
if (len > s)
break;
fst_printf(MSG_WARNING,
"%s: %s: mb_ctrl=%u band_id=%u op_class=%u chan=%u bssid="
@ -45,8 +50,8 @@ static void fst_dump_mb_ies(const char *group_id, const char *ifname,
mbie->mb_connection_capability,
mbie->fst_session_tmout);
p += 2 + mbie->len;
s -= 2 + mbie->len;
p += len;
s -= len;
}
}