FT: Check FT, MD, and Timeout Interval length in the parser
All the existing users of these elements were already validating the element length. However, it is clearer to validate this already at the parser for extra layer of protection for any future changes. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
c9bf7b6623
commit
ae7a42bde2
4 changed files with 16 additions and 5 deletions
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
* IEEE 802.11 Common routines
|
* IEEE 802.11 Common routines
|
||||||
* Copyright (c) 2002-2013, Jouni Malinen <j@w1.fi>
|
* Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi>
|
||||||
*
|
*
|
||||||
* This software may be distributed under the terms of the BSD license.
|
* This software may be distributed under the terms of the BSD license.
|
||||||
* See README for more details.
|
* See README for more details.
|
||||||
|
@ -10,6 +10,7 @@
|
||||||
|
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
#include "defs.h"
|
#include "defs.h"
|
||||||
|
#include "wpa_common.h"
|
||||||
#include "ieee802_11_defs.h"
|
#include "ieee802_11_defs.h"
|
||||||
#include "ieee802_11_common.h"
|
#include "ieee802_11_common.h"
|
||||||
|
|
||||||
|
@ -245,14 +246,20 @@ ParseRes ieee802_11_parse_elems(const u8 *start, size_t len,
|
||||||
elems->supp_channels_len = elen;
|
elems->supp_channels_len = elen;
|
||||||
break;
|
break;
|
||||||
case WLAN_EID_MOBILITY_DOMAIN:
|
case WLAN_EID_MOBILITY_DOMAIN:
|
||||||
|
if (elen < sizeof(struct rsn_mdie))
|
||||||
|
break;
|
||||||
elems->mdie = pos;
|
elems->mdie = pos;
|
||||||
elems->mdie_len = elen;
|
elems->mdie_len = elen;
|
||||||
break;
|
break;
|
||||||
case WLAN_EID_FAST_BSS_TRANSITION:
|
case WLAN_EID_FAST_BSS_TRANSITION:
|
||||||
|
if (elen < sizeof(struct rsn_ftie))
|
||||||
|
break;
|
||||||
elems->ftie = pos;
|
elems->ftie = pos;
|
||||||
elems->ftie_len = elen;
|
elems->ftie_len = elen;
|
||||||
break;
|
break;
|
||||||
case WLAN_EID_TIMEOUT_INTERVAL:
|
case WLAN_EID_TIMEOUT_INTERVAL:
|
||||||
|
if (elen != 5)
|
||||||
|
break;
|
||||||
elems->timeout_int = pos;
|
elems->timeout_int = pos;
|
||||||
elems->timeout_int_len = elen;
|
elems->timeout_int_len = elen;
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -356,6 +356,8 @@ int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
|
||||||
parse->rsn_pmkid = data.pmkid;
|
parse->rsn_pmkid = data.pmkid;
|
||||||
break;
|
break;
|
||||||
case WLAN_EID_MOBILITY_DOMAIN:
|
case WLAN_EID_MOBILITY_DOMAIN:
|
||||||
|
if (pos[1] < sizeof(struct rsn_mdie))
|
||||||
|
return -1;
|
||||||
parse->mdie = pos + 2;
|
parse->mdie = pos + 2;
|
||||||
parse->mdie_len = pos[1];
|
parse->mdie_len = pos[1];
|
||||||
break;
|
break;
|
||||||
|
@ -368,6 +370,8 @@ int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
|
||||||
return -1;
|
return -1;
|
||||||
break;
|
break;
|
||||||
case WLAN_EID_TIMEOUT_INTERVAL:
|
case WLAN_EID_TIMEOUT_INTERVAL:
|
||||||
|
if (pos[1] != 5)
|
||||||
|
break;
|
||||||
parse->tie = pos + 2;
|
parse->tie = pos + 2;
|
||||||
parse->tie_len = pos[1];
|
parse->tie_len = pos[1];
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -306,7 +306,6 @@ struct wpa_igtk_kde {
|
||||||
} STRUCT_PACKED;
|
} STRUCT_PACKED;
|
||||||
#endif /* CONFIG_IEEE80211W */
|
#endif /* CONFIG_IEEE80211W */
|
||||||
|
|
||||||
#ifdef CONFIG_IEEE80211R
|
|
||||||
struct rsn_mdie {
|
struct rsn_mdie {
|
||||||
u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN];
|
u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN];
|
||||||
u8 ft_capab;
|
u8 ft_capab;
|
||||||
|
@ -334,7 +333,6 @@ struct rsn_rdie {
|
||||||
le16 status_code;
|
le16 status_code;
|
||||||
} STRUCT_PACKED;
|
} STRUCT_PACKED;
|
||||||
|
|
||||||
#endif /* CONFIG_IEEE80211R */
|
|
||||||
|
|
||||||
#ifdef _MSC_VER
|
#ifdef _MSC_VER
|
||||||
#pragma pack(pop)
|
#pragma pack(pop)
|
||||||
|
|
|
@ -511,12 +511,14 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
|
||||||
ie->rsn_ie_len = pos[1] + 2;
|
ie->rsn_ie_len = pos[1] + 2;
|
||||||
wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
|
wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
|
||||||
ie->rsn_ie, ie->rsn_ie_len);
|
ie->rsn_ie, ie->rsn_ie_len);
|
||||||
} else if (*pos == WLAN_EID_MOBILITY_DOMAIN) {
|
} else if (*pos == WLAN_EID_MOBILITY_DOMAIN &&
|
||||||
|
pos[1] >= sizeof(struct rsn_mdie)) {
|
||||||
ie->mdie = pos;
|
ie->mdie = pos;
|
||||||
ie->mdie_len = pos[1] + 2;
|
ie->mdie_len = pos[1] + 2;
|
||||||
wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
|
wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
|
||||||
ie->mdie, ie->mdie_len);
|
ie->mdie, ie->mdie_len);
|
||||||
} else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) {
|
} else if (*pos == WLAN_EID_FAST_BSS_TRANSITION &&
|
||||||
|
pos[1] >= sizeof(struct rsn_ftie)) {
|
||||||
ie->ftie = pos;
|
ie->ftie = pos;
|
||||||
ie->ftie_len = pos[1] + 2;
|
ie->ftie_len = pos[1] + 2;
|
||||||
wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",
|
wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",
|
||||||
|
|
Loading…
Reference in a new issue