path: root/wpa_supplicant/wifi_display.c
diff options
authorJouni Malinen <j@w1.fi>2014-06-13 12:25:39 (GMT)
committerJouni Malinen <j@w1.fi>2014-06-13 12:25:39 (GMT)
commit49d13df63cd9219585b0e05cc9c23bfb9a5aa2f3 (patch)
tree0e19eb1c79344c99904821f5e68d755aaa859be8 /wpa_supplicant/wifi_display.c
parent1851e17a64eb5efb0b4bc36ffe2aaa5fe7e0abb0 (diff)
P2P: Fix wfd_dev_info parsing for P2P-DEVICE-FOUND (CID 68127)
Commit b125c48fce823f28d22ebd68297c5b94366c6aa1 ('P2P: Add wfd_dev_info= field for device found event') added Wi-Fi Display device info to the P2P-DEVICE-FOUND events. However, it did not include proper bounds checking in wifi_display_subelem_hex() and could accept subelements with invalid length field values. This could result in buffer read overflow of up to 64 kB and inclusion of heap memory in the local control interface event and/or process crash due to invalid memory access. Fix this by checking the validity of the length field before writing a hexdump of the data. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/wifi_display.c')
1 files changed, 2 insertions, 0 deletions
diff --git a/wpa_supplicant/wifi_display.c b/wpa_supplicant/wifi_display.c
index 8435b63..f0c4364 100644
--- a/wpa_supplicant/wifi_display.c
+++ b/wpa_supplicant/wifi_display.c
@@ -276,6 +276,8 @@ char * wifi_display_subelem_hex(const struct wpabuf *wfd_subelems, u8 id)
while (i + WIFI_DISPLAY_SUBELEM_HEADER_LEN < buflen) {
elen = WPA_GET_BE16(buf + i + 1);
+ if (i + WIFI_DISPLAY_SUBELEM_HEADER_LEN + elen > buflen)
+ break; /* truncated subelement */
if (buf[i] == id) {
subelem = os_zalloc(2 * elen + 1);