P2P: Fix validation on Invitation Request error path
It was possible for the error path to try to use P2P Group ID attribute even if one was not included in the message. This could result in dereferencing a NULL pointer, so re-check the pointer before copying the data. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
ca412c7a38
commit
fa72a880ed
1 changed files with 10 additions and 5 deletions
|
@ -359,12 +359,17 @@ fail:
|
|||
p2p->inv_group_bssid_ptr = p2p->inv_group_bssid;
|
||||
} else
|
||||
p2p->inv_group_bssid_ptr = NULL;
|
||||
if (msg.group_id_len - ETH_ALEN <= 32) {
|
||||
os_memcpy(p2p->inv_ssid, msg.group_id + ETH_ALEN,
|
||||
msg.group_id_len - ETH_ALEN);
|
||||
p2p->inv_ssid_len = msg.group_id_len - ETH_ALEN;
|
||||
if (msg.group_id) {
|
||||
if (msg.group_id_len - ETH_ALEN <= 32) {
|
||||
os_memcpy(p2p->inv_ssid, msg.group_id + ETH_ALEN,
|
||||
msg.group_id_len - ETH_ALEN);
|
||||
p2p->inv_ssid_len = msg.group_id_len - ETH_ALEN;
|
||||
}
|
||||
os_memcpy(p2p->inv_go_dev_addr, msg.group_id, ETH_ALEN);
|
||||
} else {
|
||||
p2p->inv_ssid_len = 0;
|
||||
os_memset(p2p->inv_go_dev_addr, 0, ETH_ALEN);
|
||||
}
|
||||
os_memcpy(p2p->inv_go_dev_addr, msg.group_id, ETH_ALEN);
|
||||
p2p->inv_status = status;
|
||||
p2p->inv_op_freq = op_freq;
|
||||
|
||||
|
|
Loading…
Reference in a new issue