DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

HE: Fix invalid length checking for HE Capability element

Browse source 
Do not use the first octet of the PPE Thresholds field without
explicitly confirming that that octet was included in the element.
Furthermore, allow the received element to have additional octets in the
end since IEEE Std 802.11ax-2021 defines this to be an extensible
element and new fields could be added to the end of it in the future.

Fixes: 0497e41481 ("HE: Fix HE Capabilities element size")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2022-03-03 01:24:02 +02:00 committed by Jouni Malinen
parent 53be64f7d9
commit dec626109e
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/ap/ieee802_11_he.c
View file

@ -66,6 +66,7 @@ static int ieee80211_invalid_he_cap_size(const u8 *buf, size_t len)
{ {
struct ieee80211_he_capabilities *cap; struct ieee80211_he_capabilities *cap;
size_t cap_len; size_t cap_len;
u8 ppe_thres_hdr;
cap = (struct ieee80211_he_capabilities *) buf; cap = (struct ieee80211_he_capabilities *) buf;
cap_len = sizeof(*cap) - sizeof(cap->optional); cap_len = sizeof(*cap) - sizeof(cap->optional);
@ -76,9 +77,11 @@ static int ieee80211_invalid_he_cap_size(const u8 *buf, size_t len)
if (len < cap_len) if (len < cap_len)
return 1; return 1;
cap_len += ieee80211_he_ppet_size(buf[cap_len], cap->he_phy_capab_info); ppe_thres_hdr = len > cap_len ? buf[cap_len] : 0xff;
cap_len += ieee80211_he_ppet_size(ppe_thres_hdr,
cap->he_phy_capab_info);
return len != cap_len; return len < cap_len;
} }