aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-05-24 13:59:25 (GMT)
committerJouni Malinen <j@w1.fi>2019-05-24 22:19:33 (GMT)
commite8ebef87cb4bb57a9d4b1ca3bc1ee2979ff8c297 (patch)
tree76457b8fc41947475429d3c7385a10dc2e4256bb
parent2dfe2ad6cb6d81f2ccf3a227029fa2b0e2e841d2 (diff)
downloadhostap-e8ebef87cb4bb57a9d4b1ca3bc1ee2979ff8c297.zip
hostap-e8ebef87cb4bb57a9d4b1ca3bc1ee2979ff8c297.tar.gz
hostap-e8ebef87cb4bb57a9d4b1ca3bc1ee2979ff8c297.tar.bz2
WNM: Fix BSS Termination Duration subelement length validation
The length check for the BSS Termination Duration subelement was accidentally removed and this could result in reading up to 10 bytes beyond the end of a received frame. The actual read bytes would be stored locally, but they were not used for anything, so other than reading beyond the end of an allocated heap memory buffer, this did not result in any behavior difference or exposure of the bytes. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14922 Fixes: 093226783dc7 ("WNM: Simplify how candidate subelements are stored") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--wpa_supplicant/wnm_sta.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 22a2136..e6d7d66 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -451,6 +451,11 @@ static void wnm_parse_neighbor_report_elem(struct neighbor_report *rep,
rep->preference_present = 1;
break;
case WNM_NEIGHBOR_BSS_TERMINATION_DURATION:
+ if (elen < 10) {
+ wpa_printf(MSG_DEBUG,
+ "WNM: Too short BSS termination duration");
+ break;
+ }
rep->bss_term_tsf = WPA_GET_LE64(pos);
rep->bss_term_dur = WPA_GET_LE16(pos + 8);
rep->bss_term_present = 1;