aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/wnm_sta.c
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2014-04-07 21:53:55 (GMT)
committerJouni Malinen <j@w1.fi>2014-04-07 22:01:55 (GMT)
commit1aa6f953bb7b9093decc5817a2a7eaacf2eae61b (patch)
tree78d3e2e440da5504080bcd6c6f906c89b4910372 /wpa_supplicant/wnm_sta.c
parent5583b8d1eb576a1be8492f0d58ebc4677260d477 (diff)
downloadhostap-1aa6f953bb7b9093decc5817a2a7eaacf2eae61b.zip
hostap-1aa6f953bb7b9093decc5817a2a7eaacf2eae61b.tar.gz
hostap-1aa6f953bb7b9093decc5817a2a7eaacf2eae61b.tar.bz2
WNM: Fix neighbor report subelement parser
Only the Neighbor Report element should be included here, so verify that the element id matches. In addition, verify that each subelement has valid length before using the data. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Diffstat (limited to 'wpa_supplicant/wnm_sta.c')
-rw-r--r--wpa_supplicant/wnm_sta.c19
1 files changed, 14 insertions, 5 deletions
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 1ca4c71..cccc61f 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -461,8 +461,15 @@ static void wnm_parse_neighbor_report(struct wpa_supplicant *wpa_s,
id = *pos++;
elen = *pos++;
+ wpa_printf(MSG_DEBUG, "WNM: Subelement id=%u len=%u", id, elen);
+ left -= 2;
+ if (elen > left) {
+ wpa_printf(MSG_DEBUG,
+ "WNM: Truncated neighbor report subelement");
+ break;
+ }
wnm_parse_neighbor_report_elem(rep, id, elen, pos);
- left -= 2 + elen;
+ left -= elen;
pos += elen;
}
}
@@ -695,10 +702,12 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
wpa_printf(MSG_DEBUG, "WNM: Truncated request");
return;
}
- wnm_parse_neighbor_report(
- wpa_s, pos, len,
- &wpa_s->wnm_neighbor_report_elements[
- wpa_s->wnm_num_neighbor_report]);
+ if (tag == WLAN_EID_NEIGHBOR_REPORT) {
+ struct neighbor_report *rep;
+ rep = &wpa_s->wnm_neighbor_report_elements[
+ wpa_s->wnm_num_neighbor_report];
+ wnm_parse_neighbor_report(wpa_s, pos, len, rep);
+ }
pos += len;
wpa_s->wnm_num_neighbor_report++;