diff options
| author | Jouni Malinen <j@w1.fi> | 2014-06-29 21:43:28 (GMT) |
|---|---|---|
| committer | Jouni Malinen <j@w1.fi> | 2014-07-02 09:38:48 (GMT) |
| commit | d3fa2bbb0278ffe34fc4486f04c4281a2b100c67 (patch) | |
| tree | 2a4943b20792c5df16322456b2242521cc92d245 /wpa_supplicant/wifi_display.c | |
| parent | 745ef1847801c56041a5a33af892827c63e02163 (diff) | |
| download | hostap-d3fa2bbb0278ffe34fc4486f04c4281a2b100c67.zip hostap-d3fa2bbb0278ffe34fc4486f04c4281a2b100c67.tar.gz hostap-d3fa2bbb0278ffe34fc4486f04c4281a2b100c67.tar.bz2 | |
WFD: Explicit limit for subelement length (CID 68127)
This adds an explicit limit for the maximum Wi-Fi Display subelement
length for ASCII hexdump. This would not really be needed since the
buffer is already limited by maximum frame length. Anyway, since this
can make static analyzers happier and the subelement used with this
function is short, we may as well include an explicit check.
Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/wifi_display.c')
| -rw-r--r-- | wpa_supplicant/wifi_display.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/wpa_supplicant/wifi_display.c b/wpa_supplicant/wifi_display.c index f0c4364..b6f9236 100644 --- a/wpa_supplicant/wifi_display.c +++ b/wpa_supplicant/wifi_display.c @@ -280,6 +280,16 @@ char * wifi_display_subelem_hex(const struct wpabuf *wfd_subelems, u8 id) break; /* truncated subelement */ if (buf[i] == id) { + /* + * Limit explicitly to an arbitrary length to avoid + * unnecessarily large allocations. In practice, this + * is limited to maximum frame length anyway, so the + * maximum memory allocation here is not really that + * large. Anyway, the Wi-Fi Display subelements that + * are fetched with this function are even shorter. + */ + if (elen > 1000) + break; subelem = os_zalloc(2 * elen + 1); if (!subelem) return NULL; |