aboutsummaryrefslogtreecommitdiffstats
path: root/wlantest
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-04-19 08:42:02 (GMT)
committerJouni Malinen <j@w1.fi>2015-04-22 08:44:19 (GMT)
commitd4c4ec9240eed83f51300da17a7847cb36549dd7 (patch)
tree1a2c4c214c1aab7c70ab40acc86bbe99b78831a9 /wlantest
parent253103681c84e605b8a9b2f2278e6b09a2d1d297 (diff)
downloadhostap-d4c4ec9240eed83f51300da17a7847cb36549dd7.zip
hostap-d4c4ec9240eed83f51300da17a7847cb36549dd7.tar.gz
hostap-d4c4ec9240eed83f51300da17a7847cb36549dd7.tar.bz2
wlantest: Verify FTIE length before checking MIC
tdls_verify_mic() and tdls_verify_mic_teardown() could have tried to read the 16-octet FTIE MIC when processing a TDLS frame even if the received FTIE is truncated. At least in theory, this could result in reading couple of octets beyond the frame buffer. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wlantest')
-rw-r--r--wlantest/rx_tdls.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/wlantest/rx_tdls.c b/wlantest/rx_tdls.c
index d9247c1..f059e8d 100644
--- a/wlantest/rx_tdls.c
+++ b/wlantest/rx_tdls.c
@@ -142,7 +142,8 @@ static int tdls_verify_mic(struct wlantest *wt, struct wlantest_tdls *tdls,
struct rsn_ftie *tmp_ftie;
if (elems->link_id == NULL || elems->rsn_ie == NULL ||
- elems->timeout_int == NULL || elems->ftie == NULL)
+ elems->timeout_int == NULL || elems->ftie == NULL ||
+ elems->ftie_len < sizeof(struct rsn_ftie))
return -1;
len = 2 * ETH_ALEN + 1 + 2 + 18 + 2 + elems->rsn_ie_len +
@@ -488,7 +489,8 @@ static int tdls_verify_mic_teardown(struct wlantest *wt,
const struct rsn_ftie *rx_ftie;
struct rsn_ftie *tmp_ftie;
- if (elems->link_id == NULL || elems->ftie == NULL)
+ if (elems->link_id == NULL || elems->ftie == NULL ||
+ elems->ftie_len < sizeof(struct rsn_ftie))
return -1;
len = 2 + 18 + 2 + 1 + 1 + 2 + elems->ftie_len;