jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Validate WEXT event iwe->u.data.length before using the event data

Browse source 
This is needed to avoid crashing wpa_supplicant with invalid event messages
that may be received when using 64-bit kernel with 32-bit userspace.
This commit is contained in:
Jouni Malinen 2008-09-27 10:49:56 +03:00 committed by Jouni Malinen
parent fa2ec7eb63
commit 36b5e559f1
1 changed files with 24 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
src/drivers/driver_wext.c
View file

@ -652,12 +652,20 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv,
} }
break; break;
case IWEVMICHAELMICFAILURE: case IWEVMICHAELMICFAILURE:
if (custom + iwe->u.data.length > end) {
wpa_printf(MSG_DEBUG, "WEXT: Invalid "
"IWEVMICHAELMICFAILURE length");
return;
}
wpa_driver_wext_event_wireless_michaelmicfailure( wpa_driver_wext_event_wireless_michaelmicfailure(
ctx, custom, iwe->u.data.length); ctx, custom, iwe->u.data.length);
break; break;
case IWEVCUSTOM: case IWEVCUSTOM:
if (custom + iwe->u.data.length > end) if (custom + iwe->u.data.length > end) {
wpa_printf(MSG_DEBUG, "WEXT: Invalid "
"IWEVCUSTOM length");
return; return;
}
buf = os_malloc(iwe->u.data.length + 1); buf = os_malloc(iwe->u.data.length + 1);
if (buf == NULL) if (buf == NULL)
return; return;
@ -673,14 +681,29 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv,
wpa_supplicant_event(ctx, EVENT_SCAN_RESULTS, NULL); wpa_supplicant_event(ctx, EVENT_SCAN_RESULTS, NULL);
break; break;
case IWEVASSOCREQIE: case IWEVASSOCREQIE:
if (custom + iwe->u.data.length > end) {
wpa_printf(MSG_DEBUG, "WEXT: Invalid "
"IWEVASSOCREQIE length");
return;
}
wpa_driver_wext_event_wireless_assocreqie( wpa_driver_wext_event_wireless_assocreqie(
drv, custom, iwe->u.data.length); drv, custom, iwe->u.data.length);
break; break;
case IWEVASSOCRESPIE: case IWEVASSOCRESPIE:
if (custom + iwe->u.data.length > end) {
wpa_printf(MSG_DEBUG, "WEXT: Invalid "
"IWEVASSOCRESPIE length");
return;
}
wpa_driver_wext_event_wireless_assocrespie( wpa_driver_wext_event_wireless_assocrespie(
drv, custom, iwe->u.data.length); drv, custom, iwe->u.data.length);
break; break;
case IWEVPMKIDCAND: case IWEVPMKIDCAND:
if (custom + iwe->u.data.length > end) {
wpa_printf(MSG_DEBUG, "WEXT: Invalid "
"IWEVPMKIDCAND length");
return;
}
wpa_driver_wext_event_wireless_pmkidcand( wpa_driver_wext_event_wireless_pmkidcand(
drv, custom, iwe->u.data.length); drv, custom, iwe->u.data.length);
break; break;