From d4c4ec9240eed83f51300da17a7847cb36549dd7 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 19 Apr 2015 11:42:02 +0300 Subject: [PATCH] wlantest: Verify FTIE length before checking MIC tdls_verify_mic() and tdls_verify_mic_teardown() could have tried to read the 16-octet FTIE MIC when processing a TDLS frame even if the received FTIE is truncated. At least in theory, this could result in reading couple of octets beyond the frame buffer. Signed-off-by: Jouni Malinen --- wlantest/rx_tdls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/wlantest/rx_tdls.c b/wlantest/rx_tdls.c index d9247c147..f059e8dd8 100644 --- a/wlantest/rx_tdls.c +++ b/wlantest/rx_tdls.c @@ -142,7 +142,8 @@ static int tdls_verify_mic(struct wlantest *wt, struct wlantest_tdls *tdls, struct rsn_ftie *tmp_ftie; if (elems->link_id == NULL || elems->rsn_ie == NULL || - elems->timeout_int == NULL || elems->ftie == NULL) + elems->timeout_int == NULL || elems->ftie == NULL || + elems->ftie_len < sizeof(struct rsn_ftie)) return -1; len = 2 * ETH_ALEN + 1 + 2 + 18 + 2 + elems->rsn_ie_len + @@ -488,7 +489,8 @@ static int tdls_verify_mic_teardown(struct wlantest *wt, const struct rsn_ftie *rx_ftie; struct rsn_ftie *tmp_ftie; - if (elems->link_id == NULL || elems->ftie == NULL) + if (elems->link_id == NULL || elems->ftie == NULL || + elems->ftie_len < sizeof(struct rsn_ftie)) return -1; len = 2 + 18 + 2 + 1 + 1 + 2 + elems->ftie_len;