aboutsummaryrefslogtreecommitdiffstats
path: root/src/ap/ieee802_11.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-05-03 13:24:01 (GMT)
committerJouni Malinen <j@w1.fi>2015-05-03 13:33:08 (GMT)
commitfd66aa63f4390b9a6155a9b6fd9ebcb37e7290dd (patch)
tree511a520936282528c69786f2f8d1289189fca861 /src/ap/ieee802_11.c
parentff4a6d4382d399a6bdfad24d75105b8fc1481387 (diff)
downloadhostap-fd66aa63f4390b9a6155a9b6fd9ebcb37e7290dd.zip
hostap-fd66aa63f4390b9a6155a9b6fd9ebcb37e7290dd.tar.gz
hostap-fd66aa63f4390b9a6155a9b6fd9ebcb37e7290dd.tar.bz2
Check Public Action length explicitly before reading Action Code
In theory, the previous version could have resulted in reading one byte beyond the end of the management frame RX buffer if the local driver were to deliver a truncated Public Action frame for processing. In practice, this did not seem to happen with mac80211-based drivers and even if it were, the extra octet would be an uninitialized value in a buffer rather than read beyond the end of the buffer. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/ap/ieee802_11.c')
-rw-r--r--src/ap/ieee802_11.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 9e7d70d..8d2a066 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2098,7 +2098,8 @@ static int handle_action(struct hostapd_data *hapd,
case WLAN_ACTION_PUBLIC:
case WLAN_ACTION_PROTECTED_DUAL:
#ifdef CONFIG_IEEE80211N
- if (mgmt->u.action.u.public_action.action ==
+ if (len >= IEEE80211_HDRLEN + 2 &&
+ mgmt->u.action.u.public_action.action ==
WLAN_PA_20_40_BSS_COEX) {
wpa_printf(MSG_DEBUG,
"HT20/40 coex mgmt frame received from STA "