Move SA Query frame length check to the shared handler function
Check the length in the common handler functions instead of both callers. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
002edb6303
commit
700b3f395e
3 changed files with 12 additions and 22 deletions
|
|
@ -1110,8 +1110,9 @@ static void hostapd_action_rx(struct hostapd_data *hapd,
|
|||
}
|
||||
#endif /* CONFIG_IEEE80211R_AP */
|
||||
#ifdef CONFIG_IEEE80211W
|
||||
if (mgmt->u.action.category == WLAN_ACTION_SA_QUERY && plen >= 4) {
|
||||
if (mgmt->u.action.category == WLAN_ACTION_SA_QUERY) {
|
||||
ieee802_11_sa_query_action(hapd, mgmt, drv_mgmt->frame_len);
|
||||
return;
|
||||
}
|
||||
#endif /* CONFIG_IEEE80211W */
|
||||
#ifdef CONFIG_WNM_AP
|
||||
|
|
|
|||
|
|
@ -4102,26 +4102,6 @@ static void handle_beacon(struct hostapd_data *hapd,
|
|||
|
||||
|
||||
#ifdef CONFIG_IEEE80211W
|
||||
|
||||
static int hostapd_sa_query_action(struct hostapd_data *hapd,
|
||||
const struct ieee80211_mgmt *mgmt,
|
||||
size_t len)
|
||||
{
|
||||
const u8 *end;
|
||||
|
||||
end = mgmt->u.action.u.sa_query_resp.trans_id +
|
||||
WLAN_SA_QUERY_TR_ID_LEN;
|
||||
if (((u8 *) mgmt) + len < end) {
|
||||
wpa_printf(MSG_DEBUG, "IEEE 802.11: Too short SA Query Action "
|
||||
"frame (len=%lu)", (unsigned long) len);
|
||||
return 0;
|
||||
}
|
||||
|
||||
ieee802_11_sa_query_action(hapd, mgmt, len);
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
static int robust_action_frame(u8 category)
|
||||
{
|
||||
return category != WLAN_ACTION_PUBLIC &&
|
||||
|
|
@ -4207,7 +4187,8 @@ static int handle_action(struct hostapd_data *hapd,
|
|||
return 1;
|
||||
#ifdef CONFIG_IEEE80211W
|
||||
case WLAN_ACTION_SA_QUERY:
|
||||
return hostapd_sa_query_action(hapd, mgmt, len);
|
||||
ieee802_11_sa_query_action(hapd, mgmt, len);
|
||||
return 1;
|
||||
#endif /* CONFIG_IEEE80211W */
|
||||
#ifdef CONFIG_WNM_AP
|
||||
case WLAN_ACTION_WNM:
|
||||
|
|
|
|||
|
|
@ -213,6 +213,14 @@ void ieee802_11_sa_query_action(struct hostapd_data *hapd,
|
|||
const u8 action_type = mgmt->u.action.u.sa_query_resp.action;
|
||||
const u8 *trans_id = mgmt->u.action.u.sa_query_resp.trans_id;
|
||||
|
||||
if (((const u8 *) mgmt) + len <
|
||||
mgmt->u.action.u.sa_query_resp.variable) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"IEEE 802.11: Too short SA Query Action frame (len=%lu)",
|
||||
(unsigned long) len);
|
||||
return;
|
||||
}
|
||||
|
||||
sta = ap_get_sta(hapd, sa);
|
||||
|
||||
#ifdef CONFIG_OCV
|
||||
|
|
|
|||
Loading…
Reference in a new issue