aboutsummaryrefslogtreecommitdiffstats
path: root/src/drivers/driver_wext.c
diff options
context:
space:
mode:
authorJouni Malinen <jouni.malinen@atheros.com>2008-09-27 07:49:56 (GMT)
committerJouni Malinen <j@w1.fi>2008-09-27 07:49:56 (GMT)
commit36b5e559f1387d4e02059753ecfb04461d62f381 (patch)
treec6b01535b5266e8881e58272b43a3a23b47fa213 /src/drivers/driver_wext.c
parentfa2ec7eb634a0ed9dd9885d38ab6a49d23d218a1 (diff)
downloadhostap-36b5e559f1387d4e02059753ecfb04461d62f381.zip
hostap-36b5e559f1387d4e02059753ecfb04461d62f381.tar.gz
hostap-36b5e559f1387d4e02059753ecfb04461d62f381.tar.bz2
Validate WEXT event iwe->u.data.length before using the event data
This is needed to avoid crashing wpa_supplicant with invalid event messages that may be received when using 64-bit kernel with 32-bit userspace.
Diffstat (limited to 'src/drivers/driver_wext.c')
-rw-r--r--src/drivers/driver_wext.c25
1 files changed, 24 insertions, 1 deletions
diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c
index a3c4733..6b7f1a7 100644
--- a/src/drivers/driver_wext.c
+++ b/src/drivers/driver_wext.c
@@ -652,12 +652,20 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv,
}
break;
case IWEVMICHAELMICFAILURE:
+ if (custom + iwe->u.data.length > end) {
+ wpa_printf(MSG_DEBUG, "WEXT: Invalid "
+ "IWEVMICHAELMICFAILURE length");
+ return;
+ }
wpa_driver_wext_event_wireless_michaelmicfailure(
ctx, custom, iwe->u.data.length);
break;
case IWEVCUSTOM:
- if (custom + iwe->u.data.length > end)
+ if (custom + iwe->u.data.length > end) {
+ wpa_printf(MSG_DEBUG, "WEXT: Invalid "
+ "IWEVCUSTOM length");
return;
+ }
buf = os_malloc(iwe->u.data.length + 1);
if (buf == NULL)
return;
@@ -673,14 +681,29 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv,
wpa_supplicant_event(ctx, EVENT_SCAN_RESULTS, NULL);
break;
case IWEVASSOCREQIE:
+ if (custom + iwe->u.data.length > end) {
+ wpa_printf(MSG_DEBUG, "WEXT: Invalid "
+ "IWEVASSOCREQIE length");
+ return;
+ }
wpa_driver_wext_event_wireless_assocreqie(
drv, custom, iwe->u.data.length);
break;
case IWEVASSOCRESPIE:
+ if (custom + iwe->u.data.length > end) {
+ wpa_printf(MSG_DEBUG, "WEXT: Invalid "
+ "IWEVASSOCRESPIE length");
+ return;
+ }
wpa_driver_wext_event_wireless_assocrespie(
drv, custom, iwe->u.data.length);
break;
case IWEVPMKIDCAND:
+ if (custom + iwe->u.data.length > end) {
+ wpa_printf(MSG_DEBUG, "WEXT: Invalid "
+ "IWEVPMKIDCAND length");
+ return;
+ }
wpa_driver_wext_event_wireless_pmkidcand(
drv, custom, iwe->u.data.length);
break;