aboutsummaryrefslogtreecommitdiffstats
path: root/wlantest
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-04-18 14:59:30 (GMT)
committerJouni Malinen <j@w1.fi>2015-04-22 08:44:19 (GMT)
commit762a0bfb01b1651c728b6deeda06bf965634e390 (patch)
treeae95ffebc76dd68c696e5dd69de64aa517ad9898 /wlantest
parent26b3f644285b3cdd0493677a6462ddda5742dede (diff)
downloadhostap-762a0bfb01b1651c728b6deeda06bf965634e390.zip
hostap-762a0bfb01b1651c728b6deeda06bf965634e390.tar.gz
hostap-762a0bfb01b1651c728b6deeda06bf965634e390.tar.bz2
wlantest: Fix Beacon and Probe Response frame parser
These functions did not verify that the received frame is long enough to contain the beginning of the variable length IE area. A truncated frame could have caused a segmentation fault due to reading beyond the buffer. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wlantest')
-rw-r--r--wlantest/rx_mgmt.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/wlantest/rx_mgmt.c b/wlantest/rx_mgmt.c
index 5f60abe..459b9a6 100644
--- a/wlantest/rx_mgmt.c
+++ b/wlantest/rx_mgmt.c
@@ -53,16 +53,19 @@ static void rx_mgmt_beacon(struct wlantest *wt, const u8 *data, size_t len)
const struct ieee80211_mgmt *mgmt;
struct wlantest_bss *bss;
struct ieee802_11_elems elems;
+ size_t offset;
mgmt = (const struct ieee80211_mgmt *) data;
+ offset = mgmt->u.beacon.variable - data;
+ if (len < offset)
+ return;
bss = bss_get(wt, mgmt->bssid);
if (bss == NULL)
return;
if (bss->proberesp_seen)
return; /* do not override with Beacon data */
bss->capab_info = le_to_host16(mgmt->u.beacon.capab_info);
- if (ieee802_11_parse_elems(mgmt->u.beacon.variable,
- len - (mgmt->u.beacon.variable - data),
+ if (ieee802_11_parse_elems(mgmt->u.beacon.variable, len - offset,
&elems, 0) == ParseFailed) {
if (bss->parse_error_reported)
return;
@@ -81,16 +84,19 @@ static void rx_mgmt_probe_resp(struct wlantest *wt, const u8 *data, size_t len)
const struct ieee80211_mgmt *mgmt;
struct wlantest_bss *bss;
struct ieee802_11_elems elems;
+ size_t offset;
mgmt = (const struct ieee80211_mgmt *) data;
+ offset = mgmt->u.probe_resp.variable - data;
+ if (len < offset)
+ return;
bss = bss_get(wt, mgmt->bssid);
if (bss == NULL)
return;
bss->counters[WLANTEST_BSS_COUNTER_PROBE_RESPONSE]++;
bss->capab_info = le_to_host16(mgmt->u.probe_resp.capab_info);
- if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
- len - (mgmt->u.probe_resp.variable - data),
+ if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - offset,
&elems, 0) == ParseFailed) {
if (bss->parse_error_reported)
return;