aboutsummaryrefslogtreecommitdiffstats
path: root/src/rsn_supp
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-04-19 13:28:35 (GMT)
committerJouni Malinen <j@w1.fi>2015-04-22 19:05:11 (GMT)
commitae7a42bde24f13d2a1324538713c50ca3afc9581 (patch)
tree78d2f85a5b8186c82fdaf14486894515858f1ae5 /src/rsn_supp
parentc9bf7b66234eafc07db6fda9cfc26e0c151e417e (diff)
downloadhostap-ae7a42bde24f13d2a1324538713c50ca3afc9581.zip
hostap-ae7a42bde24f13d2a1324538713c50ca3afc9581.tar.gz
hostap-ae7a42bde24f13d2a1324538713c50ca3afc9581.tar.bz2
FT: Check FT, MD, and Timeout Interval length in the parser
All the existing users of these elements were already validating the element length. However, it is clearer to validate this already at the parser for extra layer of protection for any future changes. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/rsn_supp')
-rw-r--r--src/rsn_supp/wpa_ie.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index 0d96216..5741a5b 100644
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -511,12 +511,14 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
ie->rsn_ie_len = pos[1] + 2;
wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
ie->rsn_ie, ie->rsn_ie_len);
- } else if (*pos == WLAN_EID_MOBILITY_DOMAIN) {
+ } else if (*pos == WLAN_EID_MOBILITY_DOMAIN &&
+ pos[1] >= sizeof(struct rsn_mdie)) {
ie->mdie = pos;
ie->mdie_len = pos[1] + 2;
wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
ie->mdie, ie->mdie_len);
- } else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) {
+ } else if (*pos == WLAN_EID_FAST_BSS_TRANSITION &&
+ pos[1] >= sizeof(struct rsn_ftie)) {
ie->ftie = pos;
ie->ftie_len = pos[1] + 2;
wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",