From 7a37a94eaa0d9259737ad0b3d7b2297ee42155ff Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 18 Jul 2023 16:02:44 +0300 Subject: [PATCH] Check whether element parsing has failed Check the ieee802_11_parse_elems() return code and do not proceed in various cases if parsing failed. Previously, these cases would have been allowed to continue by ignoring whatever might have followed in the IE buffer after the first detected parsing failure. This is not really an issue in practice, but it feels cleaner to explicitly stop when receiving an invalid set of IEs. Signed-off-by: Jouni Malinen --- src/ap/drv_callbacks.c | 14 ++++++++++---- src/common/hw_features_common.c | 15 +++++++++------ src/p2p/p2p_parse.c | 4 +++- 3 files changed, 22 insertions(+), 11 deletions(-) diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c index 4d765dcb1..3f3f2a633 100644 --- a/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c @@ -59,9 +59,10 @@ void hostapd_notify_assoc_fils_finish(struct hostapd_data *hapd, if (!sta->fils_pending_assoc_req) return; - ieee802_11_parse_elems(sta->fils_pending_assoc_req, - sta->fils_pending_assoc_req_len, &elems, 0); - if (!elems.fils_session) { + if (ieee802_11_parse_elems(sta->fils_pending_assoc_req, + sta->fils_pending_assoc_req_len, &elems, + 0) == ParseFailed || + !elems.fils_session) { wpa_printf(MSG_DEBUG, "%s failed to find FILS Session element", __func__); return; @@ -176,7 +177,12 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_INFO, "associated"); - ieee802_11_parse_elems(req_ies, req_ies_len, &elems, 0); + if (ieee802_11_parse_elems(req_ies, req_ies_len, &elems, 0) == + ParseFailed) { + wpa_printf(MSG_DEBUG, "%s: Could not parse elements", __func__); + return -1; + } + if (elems.wps_ie) { ie = elems.wps_ie - 2; ielen = elems.wps_ie_len + 2; diff --git a/src/common/hw_features_common.c b/src/common/hw_features_common.c index 584c6d275..57b5a8e23 100644 --- a/src/common/hw_features_common.c +++ b/src/common/hw_features_common.c @@ -183,8 +183,8 @@ void get_pri_sec_chan(struct wpa_scan_res *bss, int *pri_chan, int *sec_chan) *pri_chan = *sec_chan = 0; - ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0); - if (elems.ht_operation) { + if (ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0) != + ParseFailed && elems.ht_operation) { oper = (struct ieee80211_ht_operation *) elems.ht_operation; *pri_chan = oper->primary_chan; if (oper->ht_param & HT_INFO_HT_PARAM_STA_CHNL_WIDTH) { @@ -273,7 +273,10 @@ static int check_20mhz_bss(struct wpa_scan_res *bss, int pri_freq, int start, if (bss->freq < start || bss->freq > end || bss->freq == pri_freq) return 0; - ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0); + if (ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0) == + ParseFailed) + return 0; + if (!elems.ht_capabilities) { wpa_printf(MSG_DEBUG, "Found overlapping legacy BSS: " MACSTR " freq=%d", MAC2STR(bss->bssid), bss->freq); @@ -357,9 +360,9 @@ int check_40mhz_2g4(struct hostapd_hw_modes *mode, } } - ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, - 0); - if (elems.ht_capabilities) { + if (ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, + &elems, 0) != ParseFailed && + elems.ht_capabilities) { struct ieee80211_ht_capabilities *ht_cap = (struct ieee80211_ht_capabilities *) elems.ht_capabilities; diff --git a/src/p2p/p2p_parse.c b/src/p2p/p2p_parse.c index 486d62863..07d6ca022 100644 --- a/src/p2p/p2p_parse.c +++ b/src/p2p/p2p_parse.c @@ -545,7 +545,9 @@ int p2p_parse_ies(const u8 *data, size_t len, struct p2p_message *msg) { struct ieee802_11_elems elems; - ieee802_11_parse_elems(data, len, &elems, 0); + if (ieee802_11_parse_elems(data, len, &elems, 0) == ParseFailed) + return -1; + if (elems.ds_params) msg->ds_params = elems.ds_params; if (elems.ssid)