jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Validate WEXT event iwe->u.data.length before using the event data

Browse source 
This is needed to avoid crashing wpa_supplicant with invalid event messages
that may be received when using 64-bit kernel with 32-bit userspace.
This commit is contained in:
Jouni Malinen 2008-09-27 10:49:56 +03:00 committed by Jouni Malinen
parent fa2ec7eb63
commit 36b5e559f1
1 changed files with 24 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
src/drivers/driver_wext.c
View file

@ -652,12 +652,20 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv,
}
break;
case IWEVMICHAELMICFAILURE:
if (custom + iwe->u.data.length > end) {
wpa_printf(MSG_DEBUG, "WEXT: Invalid "
"IWEVMICHAELMICFAILURE length");
return;
}
wpa_driver_wext_event_wireless_michaelmicfailure(
ctx, custom, iwe->u.data.length);
break;
case IWEVCUSTOM:
if (custom + iwe->u.data.length > end)
if (custom + iwe->u.data.length > end) {
wpa_printf(MSG_DEBUG, "WEXT: Invalid "
"IWEVCUSTOM length");
return;
}
buf = os_malloc(iwe->u.data.length + 1);
if (buf == NULL)
return;
@ -673,14 +681,29 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv,
wpa_supplicant_event(ctx, EVENT_SCAN_RESULTS, NULL);
break;
case IWEVASSOCREQIE:
if (custom + iwe->u.data.length > end) {
wpa_printf(MSG_DEBUG, "WEXT: Invalid "
"IWEVASSOCREQIE length");
return;
}
wpa_driver_wext_event_wireless_assocreqie(
drv, custom, iwe->u.data.length);
break;
case IWEVASSOCRESPIE:
if (custom + iwe->u.data.length > end) {
wpa_printf(MSG_DEBUG, "WEXT: Invalid "
"IWEVASSOCRESPIE length");
return;
}
wpa_driver_wext_event_wireless_assocrespie(
drv, custom, iwe->u.data.length);
break;
case IWEVPMKIDCAND:
if (custom + iwe->u.data.length > end) {
wpa_printf(MSG_DEBUG, "WEXT: Invalid "
"IWEVPMKIDCAND length");
return;
}
wpa_driver_wext_event_wireless_pmkidcand(
drv, custom, iwe->u.data.length);
break;