DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

AP MLD: More careful checking of Multi-Link element length fields

Browse source 
Avoid potential read of one or two octets beyond the end of the
subelement when verifying that there is sufficient amount of data
included in each subelement/element within the MLE in Association
Request frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2023-12-17 21:55:10 +02:00
parent 38a5ed5fda
commit 828311ef31
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/common/ieee802_11_common.c
View file

@ -1004,7 +1004,7 @@ ParseRes ieee802_11_parse_link_assoc_req(const u8 *start, size_t len,
continue; continue;
} }
if (sub_elem_len < 3) { if (sub_elem_len < 5) {
if (show_errors) if (show_errors)
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"MLD: error: sub_elem_len=%zu < 5", "MLD: error: sub_elem_len=%zu < 5",
@ -1073,7 +1073,8 @@ ParseRes ieee802_11_parse_link_assoc_req(const u8 *start, size_t len,
non_inherit_len -= 1 + non_inherit[0]; non_inherit_len -= 1 + non_inherit[0];
non_inherit += 1 + non_inherit[0]; non_inherit += 1 + non_inherit[0];
if (non_inherit_len < 1UL + non_inherit[0]) { if (non_inherit_len < 1UL ||
non_inherit_len < 1UL + non_inherit[0]) {
if (show_errors) if (show_errors)
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"MLD: Invalid inheritance"); "MLD: Invalid inheritance");