iwinfo: improve center channel handling

- Improve iwinfo center channel struct position - Prevent read beyond buffer on malformed data Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2021-01-06 04:05:37 +01:00 · 2021-01-06 04:05:37 +01:00 · 0702f32294
commit 0702f32294
parent 618c1e86f0
2 changed files with 15 additions and 11 deletions
--- a/include/iwinfo.h
+++ b/include/iwinfo.h
@ -255,6 +255,8 @@ struct iwinfo_ops {
 	int (*probe)(const char *ifname);
 	int (*mode)(const char *, int *);
 	int (*channel)(const char *, int *);
 	int (*center_chan1)(const char *, int *);
 	int (*center_chan2)(const char *, int *);
 	int (*frequency)(const char *, int *);
 	int (*frequency_offset)(const char *, int *);
 	int (*txpower)(const char *, int *);
@ -283,8 +285,6 @@ struct iwinfo_ops {
 	int (*survey)(const char *, char *, int *);
 	int (*lookup_phy)(const char *, char *);
 	void (*close)(void);
 	int (*center_chan1)(const char *, int *);
 	int (*center_chan2)(const char *, int *);
 };
 const char * iwinfo_type(const char *ifname);
--- a/iwinfo_nl80211.c
+++ b/iwinfo_nl80211.c
@ -2380,14 +2380,18 @@ static void nl80211_get_scanlist_ie(struct nlattr **bss,
 				                 IWINFO_CIPHER_TKIP, IWINFO_KMGMT_PSK);
 			break;
 		case 61: /* HT oeration */
-			e->ht_chan_info.primary_chan = ie[2];
+			if (ie[1] >= 3) {
-			e->ht_chan_info.secondary_chan_off = ie[3] & 0x3;
+				e->ht_chan_info.primary_chan = ie[2];
-			e->ht_chan_info.chan_width = (ie[4] & 0x4)>>2;
+				e->ht_chan_info.secondary_chan_off = ie[3] & 0x3;
 				e->ht_chan_info.chan_width = (ie[4] & 0x4)>>2;
 			}
 			break;
 		case 192: /* VHT operation */
-			e->vht_chan_info.chan_width = ie[2];
+			if (ie[1] >= 3) {
-			e->vht_chan_info.center_chan_1 = ie[3];
+				e->vht_chan_info.chan_width = ie[2];
-			e->vht_chan_info.center_chan_2 = ie[4];
+				e->vht_chan_info.center_chan_1 = ie[3];
 				e->vht_chan_info.center_chan_2 = ie[4];
 			}
 			break;
 		}
@ -3347,6 +3351,8 @@ const struct iwinfo_ops nl80211_ops = {
 	.name             = "nl80211",
 	.probe            = nl80211_probe,
 	.channel          = nl80211_get_channel,
 	.center_chan1     = nl80211_get_center_chan1,
 	.center_chan2     = nl80211_get_center_chan2,
 	.frequency        = nl80211_get_frequency,
 	.frequency_offset = nl80211_get_frequency_offset,
 	.txpower          = nl80211_get_txpower,
@ -3375,7 +3381,5 @@ const struct iwinfo_ops nl80211_ops = {
 	.countrylist      = nl80211_get_countrylist,
 	.survey           = nl80211_get_survey,
 	.lookup_phy       = nl80211_lookup_phyname,
-	.close            = nl80211_close,
+	.close            = nl80211_close
 	.center_chan1     = nl80211_get_center_chan1,
 	.center_chan2     = nl80211_get_center_chan2
 };