hostapd/src
Jouni Malinen e34cd9f06e WNM: Fix WNM-Sleep Mode Request bounds checking
ieee802_11_rx_wnmsleep_req() might have been called for a short frame
that has no more payload after the Public Action field, i.e., with len
== 0. The bounds checking for the payload length was done only for the
information elements while the one octet Dialog Token field was read
unconditionally. In the original implementation, this could have
resulted in reading one octet beyond the end of the received frame data.

This case has not been reachable after the commit e0785ebbbd ("Use
more consistent Action frame RX handling in both AP mode paths"), but it
is better to address the specific issue in ieee802_11_rx_wnmsleep_req()
as well for additional protection against accidential removal of the
check and also to have something that can be merged into an older
version (pre-v2.7) if desired. The comments below apply for such older
versions where the case could have been reachable.

Depending on driver interface specific mechanism used for fetching the
frame, this could result in reading one octet beyond the end of a
stack/hash buffer or reading an uninitialized octet from within a
buffer. The actual value that was read as the Dialog Token field is not
used since the function returns immediately after having read this value
when there is no information elements following the field.

This issue was initially added in commit d32d94dbf4 ("WNM: Add
WNM-Sleep Mode implementation for AP") (with CONFIG_IEEE80211V=y build
option) and it remained in place during number of cleanup and fix
changes in this area and renaming of the build parameter to
CONFIG_WNM=y. The impacted function was not included in any default
build without one of the these optional build options being explicitly
enabled. CONFIG_WNM=y is still documented as "experimental and not
complete implementation" in hostapd/defconfig. In addition, commit
114f2830d2 ("WNM: Ignore WNM-Sleep Mode Request in wnm_sleep_mode=0
case") made this function exit before the impact read if WNM-Sleep Mode
support was not explicitly enabled in runtime configuration
(wnm_sleep_mode=1 in hostapd.conf). Commit e0785ebbbd ("Use more
consistent Action frame RX handling in both AP mode paths") made this
code unreachable in practice.

Add an explicit check that the frame has enough payload before reading
the Dialog Token field in ieee802_11_rx_wnmsleep_req().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-01-28 14:58:17 +02:00
..
ap WNM: Fix WNM-Sleep Mode Request bounds checking 2019-01-28 14:58:17 +02:00
common Add a vendor attribution to transfer EVM information 2019-01-21 12:28:05 +02:00
crypto crl_reload_interval: Add CRL reloading support 2019-01-27 18:45:07 +02:00
drivers drivers: Set CONFIG_LIBNL32=y automatically based on pkg-config 2019-01-08 13:31:55 +02:00
eap_common EAP-pwd: Mask timing of PWE derivation 2018-05-28 22:15:15 +03:00
eap_peer EAP-TLS: Update Session-Id derivation with TLS v1.3 2019-01-05 18:00:26 +02:00
eap_server EAP-TLS: Update Session-Id derivation with TLS v1.3 2019-01-05 18:00:26 +02:00
eapol_auth Add hostapd tls_flags parameter 2017-09-18 12:12:48 +03:00
eapol_supp eap_proxy: Fix memory leaks when using eap_peer_erp_init() 2018-09-21 21:34:08 +03:00
fst fst: Fix compile error in fst_ctrl_aux.h with C++ compilers 2018-05-21 17:47:03 +03:00
l2_packet wpa_supplicant: Don't reply to EAPOL if pkt_type is PACKET_OTHERHOST 2018-04-02 12:21:27 +03:00
p2p P2P: Add 802.11ax support for P2P GO 2019-01-12 13:09:39 +02:00
pae mka: New MI should only be generated when peer's key is invalid 2019-01-08 01:12:02 +02:00
radius RADIUS client: Cease endless retry for message for multiple servers 2019-01-07 23:38:18 +02:00
rsn_supp OCV: Include and verify OCI in the FILS handshake 2018-12-17 15:50:12 +02:00
tls Use os_memdup() 2017-03-07 13:19:10 +02:00
utils eloop: Fix kqueue event deletion filter 2019-01-02 12:11:52 +02:00
wps WPS: Fix wps_validate_credential() argument type 2018-12-24 11:12:53 +02:00
lib.rules Add QUIET=1 option for make 2014-12-29 15:49:05 +02:00
Makefile FST: Add the Fast Session Transfer (FST) module 2015-07-16 18:26:15 +03:00