aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJouni Malinen <jouni.malinen@atheros.com>2011-01-17 10:21:29 (GMT)
committerJouni Malinen <j@w1.fi>2011-01-17 10:21:29 (GMT)
commitcbcf92b42f237190b006ca8c3078593a58cbeac6 (patch)
treeb88a07ae7fc3a89aeb7b399dc8bef22895a56e8e /src
parente4d7b22a53bbeaf95e2e9560e4388835c172a46f (diff)
downloadhostap-cbcf92b42f237190b006ca8c3078593a58cbeac6.zip
hostap-cbcf92b42f237190b006ca8c3078593a58cbeac6.tar.gz
hostap-cbcf92b42f237190b006ca8c3078593a58cbeac6.tar.bz2
AP: Validate management frame length
Make sure that received management frames are long enough before processing them. This avoids a potential segmentation fault if a driver delivers an invalid frame all the way to hostapd.
Diffstat (limited to 'src')
-rw-r--r--src/ap/beacon.c2
-rw-r--r--src/ap/ieee802_11.c3
2 files changed, 5 insertions, 0 deletions
diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index 55c0654..380fb8d 100644
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -211,6 +211,8 @@ void handle_probe_req(struct hostapd_data *hapd,
size_t i;
ie = mgmt->u.probe_req.variable;
+ if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req))
+ return;
ie_len = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req));
for (i = 0; hapd->probereq_cb && i < hapd->num_probereq_cb; i++)
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 94898cc..f65b79e 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1460,6 +1460,9 @@ void ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
int broadcast;
u16 fc, stype;
+ if (len < 24)
+ return;
+
mgmt = (struct ieee80211_mgmt *) buf;
fc = le_to_host16(mgmt->frame_control);
stype = WLAN_FC_GET_STYPE(fc);