DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

WNM: Try to make bounds checking easier for static analyzers

Browse source 
The length of the URL, i.e., pos[0], is verified here to be within the
bounds of the recieved message, but that seemed to be done in a manner
that might bee too complex for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2022-05-08 12:19:42 +03:00
parent f8615990e2
commit fe1dc9ba77
1 changed files with 11 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
wpa_supplicant/wnm_sta.c
View file

@ -1453,15 +1453,22 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
if (wpa_s->wnm_mode & WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT) { if (wpa_s->wnm_mode & WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT) {
char url[256]; char url[256];
u8 url_len;
if (end - pos < 1 || 1 + pos[0] > end - pos) { if (end - pos < 1) {
wpa_printf(MSG_DEBUG, "WNM: Invalid BSS Transition " wpa_printf(MSG_DEBUG, "WNM: Invalid BSS Transition "
"Management Request (URL)"); "Management Request (URL)");
return; return;
} }
os_memcpy(url, pos + 1, pos[0]); url_len = *pos++;
url[pos[0]] = '\0'; if (url_len > end - pos) {
pos += 1 + pos[0]; wpa_printf(MSG_DEBUG,
"WNM: Invalid BSS Transition Management Request (URL truncated)");
return;
}
os_memcpy(url, pos, url_len);
url[url_len] = '\0';
pos += url_len;
wpa_msg(wpa_s, MSG_INFO, ESS_DISASSOC_IMMINENT "%d %u %s", wpa_msg(wpa_s, MSG_INFO, ESS_DISASSOC_IMMINENT "%d %u %s",
wpa_sm_pmf_enabled(wpa_s->wpa), wpa_sm_pmf_enabled(wpa_s->wpa),