From 1c3e71d1499ae1dbe97dd517efcf554933c45bfd Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Fri, 5 Feb 2021 01:39:29 +0200
Subject: [PATCH] P2P: Add a maximum length limit for peer vendor IEs

This is mainly to help with fuzz testing that could generate overly long
test data that would not be possible in real use cases due to MMPDU size
limits. The implementation for storing vendor IEs with such
unrealisticly long IE buffers can result in huge number of memory
reallozations and analyzing those can be very heavy.

While the maximum length of the fuzzing test input could be limited, it
seems nicer to limit this IE storage limit instead to avoid timeouts
from fuzz test runs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 src/p2p/p2p.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 5cbfc217f..9524aef5a 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -665,6 +665,8 @@ static void p2p_update_peer_vendor_elems(struct p2p_device *dev, const u8 *ies,
 		if (wpabuf_resize(&dev->info.vendor_elems, 2 + len) < 0)
 			break;
 		wpabuf_put_data(dev->info.vendor_elems, pos - 2, 2 + len);
+		if (wpabuf_size(dev->info.vendor_elems) > 2000)
+			break;
 	}
 }