path: root/wpa_supplicant/wifi_display.c
diff options
authorJouni Malinen <j@w1.fi>2014-06-29 21:43:28 (GMT)
committerJouni Malinen <j@w1.fi>2014-07-02 09:38:48 (GMT)
commitd3fa2bbb0278ffe34fc4486f04c4281a2b100c67 (patch)
tree2a4943b20792c5df16322456b2242521cc92d245 /wpa_supplicant/wifi_display.c
parent745ef1847801c56041a5a33af892827c63e02163 (diff)
WFD: Explicit limit for subelement length (CID 68127)
This adds an explicit limit for the maximum Wi-Fi Display subelement length for ASCII hexdump. This would not really be needed since the buffer is already limited by maximum frame length. Anyway, since this can make static analyzers happier and the subelement used with this function is short, we may as well include an explicit check. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/wifi_display.c')
1 files changed, 10 insertions, 0 deletions
diff --git a/wpa_supplicant/wifi_display.c b/wpa_supplicant/wifi_display.c
index f0c4364..b6f9236 100644
--- a/wpa_supplicant/wifi_display.c
+++ b/wpa_supplicant/wifi_display.c
@@ -280,6 +280,16 @@ char * wifi_display_subelem_hex(const struct wpabuf *wfd_subelems, u8 id)
break; /* truncated subelement */
if (buf[i] == id) {
+ /*
+ * Limit explicitly to an arbitrary length to avoid
+ * unnecessarily large allocations. In practice, this
+ * is limited to maximum frame length anyway, so the
+ * maximum memory allocation here is not really that
+ * large. Anyway, the Wi-Fi Display subelements that
+ * are fetched with this function are even shorter.
+ */
+ if (elen > 1000)
+ break;
subelem = os_zalloc(2 * elen + 1);
if (!subelem)
return NULL;