AP MLD: Check SAE message length without depending on pointer arithemetic
The way this was checked previously used pointer arithmetic could result
in undefined behavior due to the pointer ending up pointing more than
one byte beyond the end of the buffer. Avoid this by checking the buffer
length before incrementing the pointer.
Fixes: bcbe80a66a
("AP: MLO: Handle Multi-Link element during authentication")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
parent
63df62c6c0
commit
c3ee46bcbe
1 changed files with 8 additions and 0 deletions
|
@ -871,6 +871,8 @@ sae_commit_skip_fixed_fields(const struct ieee80211_mgmt *mgmt, size_t len,
|
|||
|
||||
wpa_printf(MSG_DEBUG, "EHT: SAE scalar length is %zu", prime_len);
|
||||
|
||||
if (len - 2 < prime_len * (ec ? 3 : 2))
|
||||
goto truncated;
|
||||
/* scalar */
|
||||
pos += prime_len;
|
||||
|
||||
|
@ -882,6 +884,7 @@ sae_commit_skip_fixed_fields(const struct ieee80211_mgmt *mgmt, size_t len,
|
|||
}
|
||||
|
||||
if (pos - mgmt->u.auth.variable > (int) len) {
|
||||
truncated:
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"EHT: Too short SAE commit Authentication frame");
|
||||
return NULL;
|
||||
|
@ -905,6 +908,8 @@ sae_confirm_skip_fixed_fields(struct hostapd_data *hapd,
|
|||
return pos;
|
||||
|
||||
/* send confirm integer */
|
||||
if (len < 2)
|
||||
goto truncated;
|
||||
pos += 2;
|
||||
|
||||
/*
|
||||
|
@ -949,9 +954,12 @@ sae_confirm_skip_fixed_fields(struct hostapd_data *hapd,
|
|||
wpa_printf(MSG_DEBUG, "SAE: confirm: kck_len=%zu",
|
||||
sta->sae->tmp->kck_len);
|
||||
|
||||
if (len - 2 < sta->sae->tmp->kck_len)
|
||||
goto truncated;
|
||||
pos += sta->sae->tmp->kck_len;
|
||||
|
||||
if (pos - mgmt->u.auth.variable > (int) len) {
|
||||
truncated:
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"EHT: Too short SAE confirm Authentication frame");
|
||||
return NULL;
|
||||
|
|
Loading…
Reference in a new issue