aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2016-12-03 16:02:49 (GMT)
committerJouni Malinen <j@w1.fi>2016-12-03 16:02:49 (GMT)
commitd3c43e5855dceaaec9296b5ef44a8a75cce553ab (patch)
treeb4f6fbbc12cb3bf6b3b984e2a7bf1815a48dfffd
parent0771e912ae570a75b03fe9c52bc18b1db272602c (diff)
downloadhostap-d3c43e5855dceaaec9296b5ef44a8a75cce553ab.zip
hostap-d3c43e5855dceaaec9296b5ef44a8a75cce553ab.tar.gz
hostap-d3c43e5855dceaaec9296b5ef44a8a75cce553ab.tar.bz2
privsep: Fix scan result fetching with Beacon frame IEs
wpa_priv did not yet support Beacon frame IEs (res->beacon_ie_len) which resulted in invalid scan data being accepted in driver_privsep.c. Add support for res->beacon_ie_len and also fix the validation step to take this new variable length field into account. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/drivers/driver_privsep.c6
-rw-r--r--wpa_supplicant/wpa_priv.c2
2 files changed, 6 insertions, 2 deletions
diff --git a/src/drivers/driver_privsep.c b/src/drivers/driver_privsep.c
index 5d85033..68fd261 100644
--- a/src/drivers/driver_privsep.c
+++ b/src/drivers/driver_privsep.c
@@ -173,7 +173,11 @@ wpa_driver_privsep_get_scan_results2(void *priv)
break;
os_memcpy(r, pos, len);
pos += len;
- if (sizeof(*r) + r->ie_len > (size_t) len) {
+ if (sizeof(*r) + r->ie_len + r->beacon_ie_len > (size_t) len) {
+ wpa_printf(MSG_ERROR,
+ "privsep: Invalid scan result len (%d + %d + %d > %d)",
+ (int) sizeof(*r), (int) r->ie_len,
+ (int) r->beacon_ie_len, len);
os_free(r);
break;
}
diff --git a/wpa_supplicant/wpa_priv.c b/wpa_supplicant/wpa_priv.c
index 6de590a..328972f 100644
--- a/wpa_supplicant/wpa_priv.c
+++ b/wpa_supplicant/wpa_priv.c
@@ -177,7 +177,7 @@ static void wpa_priv_get_scan_results2(struct wpa_priv_interface *iface,
for (i = 0; i < res->num; i++) {
struct wpa_scan_res *r = res->res[i];
- val = sizeof(*r) + r->ie_len;
+ val = sizeof(*r) + r->ie_len + r->beacon_ie_len;
if (end - pos < (int) sizeof(int) + val)
break;
os_memcpy(pos, &val, sizeof(int));