aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2020-11-09 09:43:12 (GMT)
committerJouni Malinen <j@w1.fi>2021-02-03 22:25:40 (GMT)
commit947272febe24a8f0ea828b5b2f35f13c3821901e (patch)
treead4a025da72600f49682e8bfd0b0780100a1c54f
parent25df656a8a5c95bd3989d1dba6ce96dc699747d8 (diff)
downloadhostap-947272febe24a8f0ea828b5b2f35f13c3821901e.zip
hostap-947272febe24a8f0ea828b5b2f35f13c3821901e.tar.gz
hostap-947272febe24a8f0ea828b5b2f35f13c3821901e.tar.bz2
P2P: Fix copying of secondary device types for P2P group client
Parsing and copying of WPS secondary device types list was verifying that the contents is not too long for the internal maximum in the case of WPS messages, but similar validation was missing from the case of P2P group information which encodes this information in a different attribute. This could result in writing beyond the memory area assigned for these entries and corrupting memory within an instance of struct p2p_device. This could result in invalid operations and unexpected behavior when trying to free pointers from that corrupted memory. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--src/p2p/p2p.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 74b7b52..5cbfc21 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
dev->info.config_methods = cli->config_methods;
os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
dev->info.wps_sec_dev_type_list_len);
}