Check whether element parsing has failed

Check the ieee802_11_parse_elems() return code and do not proceed in various cases if parsing failed. Previously, these cases would have been allowed to continue by ignoring whatever might have followed in the IE buffer after the first detected parsing failure. This is not really an issue in practice, but it feels cleaner to explicitly stop when receiving an invalid set of IEs. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-07-18 16:02:44 +03:00 · 2023-07-18 16:02:44 +03:00 · 7a37a94eaa
commit 7a37a94eaa
parent a4c133ea73
3 changed files with 22 additions and 11 deletions
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@ -59,9 +59,10 @@ void hostapd_notify_assoc_fils_finish(struct hostapd_data *hapd,
 	if (!sta->fils_pending_assoc_req)
 		return;

-	ieee802_11_parse_elems(sta->fils_pending_assoc_req,
-			       sta->fils_pending_assoc_req_len, &elems, 0);
-	if (!elems.fils_session) {
+	if (ieee802_11_parse_elems(sta->fils_pending_assoc_req,
+				   sta->fils_pending_assoc_req_len, &elems,
+				   0) == ParseFailed ||
+	    !elems.fils_session) {
 		wpa_printf(MSG_DEBUG, "%s failed to find FILS Session element",
 			   __func__);
 		return;
@ -176,7 +177,12 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
 		       HOSTAPD_LEVEL_INFO, "associated");

-	ieee802_11_parse_elems(req_ies, req_ies_len, &elems, 0);
+	if (ieee802_11_parse_elems(req_ies, req_ies_len, &elems, 0) ==
+	    ParseFailed) {
+		wpa_printf(MSG_DEBUG, "%s: Could not parse elements", __func__);
+		return -1;
+	}
+
 	if (elems.wps_ie) {
 		ie = elems.wps_ie - 2;
 		ielen = elems.wps_ie_len + 2;
--- a/src/common/hw_features_common.c
+++ b/src/common/hw_features_common.c
@ -183,8 +183,8 @@ void get_pri_sec_chan(struct wpa_scan_res *bss, int *pri_chan, int *sec_chan)

 	*pri_chan = *sec_chan = 0;

-	ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0);
-	if (elems.ht_operation) {
+	if (ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0) !=
+	    ParseFailed && elems.ht_operation) {
 		oper = (struct ieee80211_ht_operation *) elems.ht_operation;
 		*pri_chan = oper->primary_chan;
 		if (oper->ht_param & HT_INFO_HT_PARAM_STA_CHNL_WIDTH) {
@ -273,7 +273,10 @@ static int check_20mhz_bss(struct wpa_scan_res *bss, int pri_freq, int start,
 	if (bss->freq < start || bss->freq > end || bss->freq == pri_freq)
 		return 0;

-	ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0);
+	if (ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0) ==
+	    ParseFailed)
+		return 0;
+
 	if (!elems.ht_capabilities) {
 		wpa_printf(MSG_DEBUG, "Found overlapping legacy BSS: "
 			   MACSTR " freq=%d", MAC2STR(bss->bssid), bss->freq);
@ -357,9 +360,9 @@ int check_40mhz_2g4(struct hostapd_hw_modes *mode,
 			}
 		}

-		ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems,
-				       0);
-		if (elems.ht_capabilities) {
+		if (ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len,
+					   &elems, 0) != ParseFailed &&
+		    elems.ht_capabilities) {
 			struct ieee80211_ht_capabilities *ht_cap =
 				(struct ieee80211_ht_capabilities *)
 				elems.ht_capabilities;
--- a/src/p2p/p2p_parse.c
+++ b/src/p2p/p2p_parse.c
@ -545,7 +545,9 @@ int p2p_parse_ies(const u8 *data, size_t len, struct p2p_message *msg)
 {
 	struct ieee802_11_elems elems;

-	ieee802_11_parse_elems(data, len, &elems, 0);
+	if (ieee802_11_parse_elems(data, len, &elems, 0) == ParseFailed)
+		return -1;
+
 	if (elems.ds_params)
 		msg->ds_params = elems.ds_params;
 	if (elems.ssid)