DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

WNM: Fix WNM-Sleep Mode Request parsing for WNM-Sleep element

Browse source 
The length of the WNM-Sleep element was not verified before using it.
This could result in reading the subfields in this element (total of
four octets) beyond the end of the buffer. Fix this by ignoring the
element if it is not long enough to contain all the subfields.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2017-02-12 11:43:54 +02:00
parent ea8d18a061
commit d6d5970e23
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/ap/wnm_ap.c
View file

@ -207,7 +207,8 @@ static void ieee802_11_rx_wnmsleep_req(struct hostapd_data *hapd,
u8 ie_len = pos[1]; u8 ie_len = pos[1];
if (pos + 2 + ie_len > frm + len) if (pos + 2 + ie_len > frm + len)
break; break;
if (*pos == WLAN_EID_WNMSLEEP) if (*pos == WLAN_EID_WNMSLEEP &&
ie_len >= (int) sizeof(*wnmsleep_ie) - 2)
wnmsleep_ie = (struct wnm_sleep_element *) pos; wnmsleep_ie = (struct wnm_sleep_element *) pos;
else if (*pos == WLAN_EID_TFS_REQ) { else if (*pos == WLAN_EID_TFS_REQ) {
if (!tfsreq_ie_start) if (!tfsreq_ie_start)