aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/events.c
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2013-11-20 10:08:09 (GMT)
committerJouni Malinen <j@w1.fi>2013-11-20 10:49:27 (GMT)
commit93a06fe103932167afeff61953239925221832b9 (patch)
tree25d563bb2310af4301b0b61efb3a3cfa4df945a8 /wpa_supplicant/events.c
parent00043740251716e83ca8a01b5b8a2bed1ed02db9 (diff)
downloadhostap-93a06fe103932167afeff61953239925221832b9.zip
hostap-93a06fe103932167afeff61953239925221832b9.tar.gz
hostap-93a06fe103932167afeff61953239925221832b9.tar.bz2
Fix QoS Map Configure frame use
The QoS Map Set element was passed in full to the driver instead of just the payload of the element. This resulted in the updated QoS Map being rejected. Validate the element id/len and send only the payload to the driver. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Diffstat (limited to 'wpa_supplicant/events.c')
-rw-r--r--wpa_supplicant/events.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 44e6be3..b70e1fb 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3028,12 +3028,15 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
if (data->rx_action.category == WLAN_ACTION_QOS &&
data->rx_action.len >= 1 &&
data->rx_action.data[0] == QOS_QOS_MAP_CONFIG) {
+ const u8 *pos = data->rx_action.data + 1;
+ size_t len = data->rx_action.len - 1;
wpa_dbg(wpa_s, MSG_DEBUG, "Interworking: Received QoS Map Configure frame from "
MACSTR, MAC2STR(data->rx_action.sa));
- if (os_memcmp(data->rx_action.sa, wpa_s->bssid, ETH_ALEN)
- == 0)
- wpas_qos_map_set(wpa_s, data->rx_action.data + 1,
- data->rx_action.len - 1);
+ if (os_memcmp(data->rx_action.sa, wpa_s->bssid,
+ ETH_ALEN) == 0 &&
+ len > 2 && pos[0] == WLAN_EID_QOS_MAP_SET &&
+ pos[1] <= len - 2 && pos[1] >= 16)
+ wpas_qos_map_set(wpa_s, pos + 2, pos[1]);
break;
}
#endif /* CONFIG_INTERWORKING */