hostapd/wpa_supplicant/wifi_display.c
Jouni Malinen 49d13df63c P2P: Fix wfd_dev_info parsing for P2P-DEVICE-FOUND (CID 68127)
Commit b125c48fce ('P2P: Add wfd_dev_info=
field for device found event') added Wi-Fi Display device info to the
P2P-DEVICE-FOUND events. However, it did not include proper bounds
checking in wifi_display_subelem_hex() and could accept subelements with
invalid length field values. This could result in buffer read overflow
of up to 64 kB and inclusion of heap memory in the local control
interface event and/or process crash due to invalid memory access. Fix
this by checking the validity of the length field before writing a
hexdump of the data.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 15:25:39 +03:00

297 lines
7.5 KiB
C

/*
* wpa_supplicant - Wi-Fi Display
* Copyright (c) 2011, Atheros Communications, Inc.
* Copyright (c) 2011-2012, Qualcomm Atheros, Inc.
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "p2p/p2p.h"
#include "common/ieee802_11_defs.h"
#include "wpa_supplicant_i.h"
#include "wifi_display.h"
#define WIFI_DISPLAY_SUBELEM_HEADER_LEN 3
int wifi_display_init(struct wpa_global *global)
{
global->wifi_display = 1;
return 0;
}
void wifi_display_deinit(struct wpa_global *global)
{
int i;
for (i = 0; i < MAX_WFD_SUBELEMS; i++) {
wpabuf_free(global->wfd_subelem[i]);
global->wfd_subelem[i] = NULL;
}
}
static int wifi_display_update_wfd_ie(struct wpa_global *global)
{
struct wpabuf *ie, *buf;
size_t len, plen;
if (global->p2p == NULL)
return 0;
wpa_printf(MSG_DEBUG, "WFD: Update WFD IE");
if (!global->wifi_display) {
wpa_printf(MSG_DEBUG, "WFD: Wi-Fi Display disabled - do not "
"include WFD IE");
p2p_set_wfd_ie_beacon(global->p2p, NULL);
p2p_set_wfd_ie_probe_req(global->p2p, NULL);
p2p_set_wfd_ie_probe_resp(global->p2p, NULL);
p2p_set_wfd_ie_assoc_req(global->p2p, NULL);
p2p_set_wfd_ie_invitation(global->p2p, NULL);
p2p_set_wfd_ie_prov_disc_req(global->p2p, NULL);
p2p_set_wfd_ie_prov_disc_resp(global->p2p, NULL);
p2p_set_wfd_ie_go_neg(global->p2p, NULL);
p2p_set_wfd_dev_info(global->p2p, NULL);
p2p_set_wfd_assoc_bssid(global->p2p, NULL);
p2p_set_wfd_coupled_sink_info(global->p2p, NULL);
return 0;
}
p2p_set_wfd_dev_info(global->p2p,
global->wfd_subelem[WFD_SUBELEM_DEVICE_INFO]);
p2p_set_wfd_assoc_bssid(
global->p2p,
global->wfd_subelem[WFD_SUBELEM_ASSOCIATED_BSSID]);
p2p_set_wfd_coupled_sink_info(
global->p2p, global->wfd_subelem[WFD_SUBELEM_COUPLED_SINK]);
/*
* WFD IE is included in number of management frames. Two different
* sets of subelements are included depending on the frame:
*
* Beacon, (Re)Association Request, GO Negotiation Req/Resp/Conf,
* Provision Discovery Req:
* WFD Device Info
* [Associated BSSID]
* [Coupled Sink Info]
*
* Probe Request:
* WFD Device Info
* [Associated BSSID]
* [Coupled Sink Info]
* [WFD Extended Capability]
*
* Probe Response:
* WFD Device Info
* [Associated BSSID]
* [Coupled Sink Info]
* [WFD Extended Capability]
* [WFD Session Info]
*
* (Re)Association Response, P2P Invitation Req/Resp,
* Provision Discovery Resp:
* WFD Device Info
* [Associated BSSID]
* [Coupled Sink Info]
* [WFD Session Info]
*/
len = 0;
if (global->wfd_subelem[WFD_SUBELEM_DEVICE_INFO])
len += wpabuf_len(global->wfd_subelem[
WFD_SUBELEM_DEVICE_INFO]);
if (global->wfd_subelem[WFD_SUBELEM_ASSOCIATED_BSSID])
len += wpabuf_len(global->wfd_subelem[
WFD_SUBELEM_ASSOCIATED_BSSID]);
if (global->wfd_subelem[WFD_SUBELEM_COUPLED_SINK])
len += wpabuf_len(global->wfd_subelem[
WFD_SUBELEM_COUPLED_SINK]);
if (global->wfd_subelem[WFD_SUBELEM_SESSION_INFO])
len += wpabuf_len(global->wfd_subelem[
WFD_SUBELEM_SESSION_INFO]);
if (global->wfd_subelem[WFD_SUBELEM_EXT_CAPAB])
len += wpabuf_len(global->wfd_subelem[WFD_SUBELEM_EXT_CAPAB]);
buf = wpabuf_alloc(len);
if (buf == NULL)
return -1;
if (global->wfd_subelem[WFD_SUBELEM_DEVICE_INFO])
wpabuf_put_buf(buf,
global->wfd_subelem[WFD_SUBELEM_DEVICE_INFO]);
if (global->wfd_subelem[WFD_SUBELEM_ASSOCIATED_BSSID])
wpabuf_put_buf(buf, global->wfd_subelem[
WFD_SUBELEM_ASSOCIATED_BSSID]);
if (global->wfd_subelem[WFD_SUBELEM_COUPLED_SINK])
wpabuf_put_buf(buf,
global->wfd_subelem[WFD_SUBELEM_COUPLED_SINK]);
ie = wifi_display_encaps(buf);
wpa_hexdump_buf(MSG_DEBUG, "WFD: WFD IE for Beacon", ie);
p2p_set_wfd_ie_beacon(global->p2p, ie);
ie = wifi_display_encaps(buf);
wpa_hexdump_buf(MSG_DEBUG, "WFD: WFD IE for (Re)Association Request",
ie);
p2p_set_wfd_ie_assoc_req(global->p2p, ie);
ie = wifi_display_encaps(buf);
wpa_hexdump_buf(MSG_DEBUG, "WFD: WFD IE for GO Negotiation", ie);
p2p_set_wfd_ie_go_neg(global->p2p, ie);
ie = wifi_display_encaps(buf);
wpa_hexdump_buf(MSG_DEBUG, "WFD: WFD IE for Provision Discovery "
"Request", ie);
p2p_set_wfd_ie_prov_disc_req(global->p2p, ie);
plen = buf->used;
if (global->wfd_subelem[WFD_SUBELEM_EXT_CAPAB])
wpabuf_put_buf(buf,
global->wfd_subelem[WFD_SUBELEM_EXT_CAPAB]);
ie = wifi_display_encaps(buf);
wpa_hexdump_buf(MSG_DEBUG, "WFD: WFD IE for Probe Request", ie);
p2p_set_wfd_ie_probe_req(global->p2p, ie);
if (global->wfd_subelem[WFD_SUBELEM_SESSION_INFO])
wpabuf_put_buf(buf,
global->wfd_subelem[WFD_SUBELEM_SESSION_INFO]);
ie = wifi_display_encaps(buf);
wpa_hexdump_buf(MSG_DEBUG, "WFD: WFD IE for Probe Response", ie);
p2p_set_wfd_ie_probe_resp(global->p2p, ie);
/* Remove WFD Extended Capability from buffer */
buf->used = plen;
if (global->wfd_subelem[WFD_SUBELEM_SESSION_INFO])
wpabuf_put_buf(buf,
global->wfd_subelem[WFD_SUBELEM_SESSION_INFO]);
ie = wifi_display_encaps(buf);
wpa_hexdump_buf(MSG_DEBUG, "WFD: WFD IE for P2P Invitation", ie);
p2p_set_wfd_ie_invitation(global->p2p, ie);
ie = wifi_display_encaps(buf);
wpa_hexdump_buf(MSG_DEBUG, "WFD: WFD IE for Provision Discovery "
"Response", ie);
p2p_set_wfd_ie_prov_disc_resp(global->p2p, ie);
wpabuf_free(buf);
return 0;
}
void wifi_display_enable(struct wpa_global *global, int enabled)
{
wpa_printf(MSG_DEBUG, "WFD: Wi-Fi Display %s",
enabled ? "enabled" : "disabled");
global->wifi_display = enabled;
wifi_display_update_wfd_ie(global);
}
int wifi_display_subelem_set(struct wpa_global *global, char *cmd)
{
char *pos;
int subelem;
size_t len;
struct wpabuf *e;
pos = os_strchr(cmd, ' ');
if (pos == NULL)
return -1;
*pos++ = '\0';
subelem = atoi(cmd);
if (subelem < 0 || subelem >= MAX_WFD_SUBELEMS)
return -1;
len = os_strlen(pos);
if (len & 1)
return -1;
len /= 2;
if (len == 0) {
/* Clear subelement */
e = NULL;
wpa_printf(MSG_DEBUG, "WFD: Clear subelement %d", subelem);
} else {
e = wpabuf_alloc(1 + len);
if (e == NULL)
return -1;
wpabuf_put_u8(e, subelem);
if (hexstr2bin(pos, wpabuf_put(e, len), len) < 0) {
wpabuf_free(e);
return -1;
}
wpa_printf(MSG_DEBUG, "WFD: Set subelement %d", subelem);
}
wpabuf_free(global->wfd_subelem[subelem]);
global->wfd_subelem[subelem] = e;
wifi_display_update_wfd_ie(global);
return 0;
}
int wifi_display_subelem_get(struct wpa_global *global, char *cmd,
char *buf, size_t buflen)
{
int subelem;
subelem = atoi(cmd);
if (subelem < 0 || subelem >= MAX_WFD_SUBELEMS)
return -1;
if (global->wfd_subelem[subelem] == NULL)
return 0;
return wpa_snprintf_hex(buf, buflen,
wpabuf_head_u8(global->wfd_subelem[subelem]) +
1,
wpabuf_len(global->wfd_subelem[subelem]) - 1);
}
char * wifi_display_subelem_hex(const struct wpabuf *wfd_subelems, u8 id)
{
char *subelem = NULL;
const u8 *buf;
size_t buflen;
size_t i = 0;
u16 elen;
if (!wfd_subelems)
return NULL;
buf = wpabuf_head_u8(wfd_subelems);
if (!buf)
return NULL;
buflen = wpabuf_len(wfd_subelems);
while (i + WIFI_DISPLAY_SUBELEM_HEADER_LEN < buflen) {
elen = WPA_GET_BE16(buf + i + 1);
if (i + WIFI_DISPLAY_SUBELEM_HEADER_LEN + elen > buflen)
break; /* truncated subelement */
if (buf[i] == id) {
subelem = os_zalloc(2 * elen + 1);
if (!subelem)
return NULL;
wpa_snprintf_hex(subelem, 2 * elen + 1,
buf + i +
WIFI_DISPLAY_SUBELEM_HEADER_LEN,
elen);
break;
}
i += elen + WIFI_DISPLAY_SUBELEM_HEADER_LEN;
}
return subelem;
}