privsep: Fix scan result fetching with Beacon frame IEs
wpa_priv did not yet support Beacon frame IEs (res->beacon_ie_len) which resulted in invalid scan data being accepted in driver_privsep.c. Add support for res->beacon_ie_len and also fix the validation step to take this new variable length field into account. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
0771e912ae
commit
d3c43e5855
2 changed files with 6 additions and 2 deletions
|
|
@ -173,7 +173,11 @@ wpa_driver_privsep_get_scan_results2(void *priv)
|
||||||
break;
|
break;
|
||||||
os_memcpy(r, pos, len);
|
os_memcpy(r, pos, len);
|
||||||
pos += len;
|
pos += len;
|
||||||
if (sizeof(*r) + r->ie_len > (size_t) len) {
|
if (sizeof(*r) + r->ie_len + r->beacon_ie_len > (size_t) len) {
|
||||||
|
wpa_printf(MSG_ERROR,
|
||||||
|
"privsep: Invalid scan result len (%d + %d + %d > %d)",
|
||||||
|
(int) sizeof(*r), (int) r->ie_len,
|
||||||
|
(int) r->beacon_ie_len, len);
|
||||||
os_free(r);
|
os_free(r);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -177,7 +177,7 @@ static void wpa_priv_get_scan_results2(struct wpa_priv_interface *iface,
|
||||||
|
|
||||||
for (i = 0; i < res->num; i++) {
|
for (i = 0; i < res->num; i++) {
|
||||||
struct wpa_scan_res *r = res->res[i];
|
struct wpa_scan_res *r = res->res[i];
|
||||||
val = sizeof(*r) + r->ie_len;
|
val = sizeof(*r) + r->ie_len + r->beacon_ie_len;
|
||||||
if (end - pos < (int) sizeof(int) + val)
|
if (end - pos < (int) sizeof(int) + val)
|
||||||
break;
|
break;
|
||||||
os_memcpy(pos, &val, sizeof(int));
|
os_memcpy(pos, &val, sizeof(int));
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue