FT: Check FT, MD, and Timeout Interval length in the parser

All the existing users of these elements were already validating the
element length. However, it is clearer to validate this already at the
parser for extra layer of protection for any future changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-04-19 16:28:35 +03:00
parent c9bf7b6623
commit ae7a42bde2
4 changed files with 16 additions and 5 deletions

View file

@ -1,6 +1,6 @@
/* /*
* IEEE 802.11 Common routines * IEEE 802.11 Common routines
* Copyright (c) 2002-2013, Jouni Malinen <j@w1.fi> * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi>
* *
* This software may be distributed under the terms of the BSD license. * This software may be distributed under the terms of the BSD license.
* See README for more details. * See README for more details.
@ -10,6 +10,7 @@
#include "common.h" #include "common.h"
#include "defs.h" #include "defs.h"
#include "wpa_common.h"
#include "ieee802_11_defs.h" #include "ieee802_11_defs.h"
#include "ieee802_11_common.h" #include "ieee802_11_common.h"
@ -245,14 +246,20 @@ ParseRes ieee802_11_parse_elems(const u8 *start, size_t len,
elems->supp_channels_len = elen; elems->supp_channels_len = elen;
break; break;
case WLAN_EID_MOBILITY_DOMAIN: case WLAN_EID_MOBILITY_DOMAIN:
if (elen < sizeof(struct rsn_mdie))
break;
elems->mdie = pos; elems->mdie = pos;
elems->mdie_len = elen; elems->mdie_len = elen;
break; break;
case WLAN_EID_FAST_BSS_TRANSITION: case WLAN_EID_FAST_BSS_TRANSITION:
if (elen < sizeof(struct rsn_ftie))
break;
elems->ftie = pos; elems->ftie = pos;
elems->ftie_len = elen; elems->ftie_len = elen;
break; break;
case WLAN_EID_TIMEOUT_INTERVAL: case WLAN_EID_TIMEOUT_INTERVAL:
if (elen != 5)
break;
elems->timeout_int = pos; elems->timeout_int = pos;
elems->timeout_int_len = elen; elems->timeout_int_len = elen;
break; break;

View file

@ -356,6 +356,8 @@ int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
parse->rsn_pmkid = data.pmkid; parse->rsn_pmkid = data.pmkid;
break; break;
case WLAN_EID_MOBILITY_DOMAIN: case WLAN_EID_MOBILITY_DOMAIN:
if (pos[1] < sizeof(struct rsn_mdie))
return -1;
parse->mdie = pos + 2; parse->mdie = pos + 2;
parse->mdie_len = pos[1]; parse->mdie_len = pos[1];
break; break;
@ -368,6 +370,8 @@ int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
return -1; return -1;
break; break;
case WLAN_EID_TIMEOUT_INTERVAL: case WLAN_EID_TIMEOUT_INTERVAL:
if (pos[1] != 5)
break;
parse->tie = pos + 2; parse->tie = pos + 2;
parse->tie_len = pos[1]; parse->tie_len = pos[1];
break; break;

View file

@ -306,7 +306,6 @@ struct wpa_igtk_kde {
} STRUCT_PACKED; } STRUCT_PACKED;
#endif /* CONFIG_IEEE80211W */ #endif /* CONFIG_IEEE80211W */
#ifdef CONFIG_IEEE80211R
struct rsn_mdie { struct rsn_mdie {
u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN]; u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN];
u8 ft_capab; u8 ft_capab;
@ -334,7 +333,6 @@ struct rsn_rdie {
le16 status_code; le16 status_code;
} STRUCT_PACKED; } STRUCT_PACKED;
#endif /* CONFIG_IEEE80211R */
#ifdef _MSC_VER #ifdef _MSC_VER
#pragma pack(pop) #pragma pack(pop)

View file

@ -511,12 +511,14 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
ie->rsn_ie_len = pos[1] + 2; ie->rsn_ie_len = pos[1] + 2;
wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key", wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
ie->rsn_ie, ie->rsn_ie_len); ie->rsn_ie, ie->rsn_ie_len);
} else if (*pos == WLAN_EID_MOBILITY_DOMAIN) { } else if (*pos == WLAN_EID_MOBILITY_DOMAIN &&
pos[1] >= sizeof(struct rsn_mdie)) {
ie->mdie = pos; ie->mdie = pos;
ie->mdie_len = pos[1] + 2; ie->mdie_len = pos[1] + 2;
wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key", wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
ie->mdie, ie->mdie_len); ie->mdie, ie->mdie_len);
} else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) { } else if (*pos == WLAN_EID_FAST_BSS_TRANSITION &&
pos[1] >= sizeof(struct rsn_ftie)) {
ie->ftie = pos; ie->ftie = pos;
ie->ftie_len = pos[1] + 2; ie->ftie_len = pos[1] + 2;
wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key", wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",