AP MLD: Check SAE message length without depending on pointer arithemetic

The way this was checked previously used pointer arithmetic could result in undefined behavior due to the pointer ending up pointing more than one byte beyond the end of the buffer. Avoid this by checking the buffer length before incrementing the pointer. Fixes: bcbe80a66a ("AP: MLO: Handle Multi-Link element during authentication") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-09-01 13:24:29 +03:00 · 2024-09-01 13:24:29 +03:00 · c3ee46bcbe
commit c3ee46bcbe
parent 63df62c6c0
1 changed files with 8 additions and 0 deletions
--- a/src/ap/ieee802_11_eht.c
+++ b/src/ap/ieee802_11_eht.c
@ -871,6 +871,8 @@ sae_commit_skip_fixed_fields(const struct ieee80211_mgmt *mgmt, size_t len,

 	wpa_printf(MSG_DEBUG, "EHT: SAE scalar length is %zu", prime_len);

+	if (len - 2 < prime_len * (ec ? 3 : 2))
+		goto truncated;
 	/* scalar */
 	pos += prime_len;

@ -882,6 +884,7 @@ sae_commit_skip_fixed_fields(const struct ieee80211_mgmt *mgmt, size_t len,
 	}

 	if (pos - mgmt->u.auth.variable > (int) len) {
+	truncated:
 		wpa_printf(MSG_DEBUG,
 			   "EHT: Too short SAE commit Authentication frame");
 		return NULL;
@ -905,6 +908,8 @@ sae_confirm_skip_fixed_fields(struct hostapd_data *hapd,
 		return pos;

 	/* send confirm integer */
+	if (len < 2)
+		goto truncated;
 	pos += 2;

 	/*
@ -949,9 +954,12 @@ sae_confirm_skip_fixed_fields(struct hostapd_data *hapd,
 	wpa_printf(MSG_DEBUG, "SAE: confirm: kck_len=%zu",
 		   sta->sae->tmp->kck_len);

+	if (len - 2 < sta->sae->tmp->kck_len)
+		goto truncated;
 	pos += sta->sae->tmp->kck_len;

 	if (pos - mgmt->u.auth.variable > (int) len) {
+	truncated:
 		wpa_printf(MSG_DEBUG,
 			   "EHT: Too short SAE confirm Authentication frame");
 		return NULL;