From d3c43e5855dceaaec9296b5ef44a8a75cce553ab Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 3 Dec 2016 18:02:49 +0200 Subject: [PATCH] privsep: Fix scan result fetching with Beacon frame IEs wpa_priv did not yet support Beacon frame IEs (res->beacon_ie_len) which resulted in invalid scan data being accepted in driver_privsep.c. Add support for res->beacon_ie_len and also fix the validation step to take this new variable length field into account. Signed-off-by: Jouni Malinen --- src/drivers/driver_privsep.c | 6 +++++- wpa_supplicant/wpa_priv.c | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/drivers/driver_privsep.c b/src/drivers/driver_privsep.c index 5d8503301..68fd261a8 100644 --- a/src/drivers/driver_privsep.c +++ b/src/drivers/driver_privsep.c @@ -173,7 +173,11 @@ wpa_driver_privsep_get_scan_results2(void *priv) break; os_memcpy(r, pos, len); pos += len; - if (sizeof(*r) + r->ie_len > (size_t) len) { + if (sizeof(*r) + r->ie_len + r->beacon_ie_len > (size_t) len) { + wpa_printf(MSG_ERROR, + "privsep: Invalid scan result len (%d + %d + %d > %d)", + (int) sizeof(*r), (int) r->ie_len, + (int) r->beacon_ie_len, len); os_free(r); break; } diff --git a/wpa_supplicant/wpa_priv.c b/wpa_supplicant/wpa_priv.c index 6de590a52..328972f3e 100644 --- a/wpa_supplicant/wpa_priv.c +++ b/wpa_supplicant/wpa_priv.c @@ -177,7 +177,7 @@ static void wpa_priv_get_scan_results2(struct wpa_priv_interface *iface, for (i = 0; i < res->num; i++) { struct wpa_scan_res *r = res->res[i]; - val = sizeof(*r) + r->ie_len; + val = sizeof(*r) + r->ie_len + r->beacon_ie_len; if (end - pos < (int) sizeof(int) + val) break; os_memcpy(pos, &val, sizeof(int));