WMM: Do not modify input TSPEC buffer during processing
The WMM TSPEC processor used the input buffer for processing the request and building the response. This was fine for the FT case, but for the WMM Action frame case, the input buffer is marked const, so it should not really be modified. This modification could not really cause any noticeable harm, but it can result in error reports from fuzzing and potentially even from some static analyzers. Fix this by marking the input arguments const more consistently (the parsed IE was able to drop the const) and copy the const input data to a temporary buffer for processing and modification instead of allowing the input data to be modified. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19050 Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
e8ccbef251
commit
5b50265e13
1 changed files with 5 additions and 3 deletions
|
@ -291,10 +291,11 @@ int wmm_process_tspec(struct wmm_tspec_element *tspec)
|
||||||
|
|
||||||
static void wmm_addts_req(struct hostapd_data *hapd,
|
static void wmm_addts_req(struct hostapd_data *hapd,
|
||||||
const struct ieee80211_mgmt *mgmt,
|
const struct ieee80211_mgmt *mgmt,
|
||||||
struct wmm_tspec_element *tspec, size_t len)
|
const struct wmm_tspec_element *tspec, size_t len)
|
||||||
{
|
{
|
||||||
const u8 *end = ((const u8 *) mgmt) + len;
|
const u8 *end = ((const u8 *) mgmt) + len;
|
||||||
int res;
|
int res;
|
||||||
|
struct wmm_tspec_element tspec_resp;
|
||||||
|
|
||||||
if ((const u8 *) (tspec + 1) > end) {
|
if ((const u8 *) (tspec + 1) > end) {
|
||||||
wpa_printf(MSG_DEBUG, "WMM: TSPEC overflow in ADDTS Request");
|
wpa_printf(MSG_DEBUG, "WMM: TSPEC overflow in ADDTS Request");
|
||||||
|
@ -306,10 +307,11 @@ static void wmm_addts_req(struct hostapd_data *hapd,
|
||||||
mgmt->u.action.u.wmm_action.dialog_token,
|
mgmt->u.action.u.wmm_action.dialog_token,
|
||||||
MAC2STR(mgmt->sa));
|
MAC2STR(mgmt->sa));
|
||||||
|
|
||||||
res = wmm_process_tspec(tspec);
|
os_memcpy(&tspec_resp, tspec, sizeof(struct wmm_tspec_element));
|
||||||
|
res = wmm_process_tspec(&tspec_resp);
|
||||||
wpa_printf(MSG_DEBUG, "WMM: ADDTS processing result: %d", res);
|
wpa_printf(MSG_DEBUG, "WMM: ADDTS processing result: %d", res);
|
||||||
|
|
||||||
wmm_send_action(hapd, mgmt->sa, tspec, WMM_ACTION_CODE_ADDTS_RESP,
|
wmm_send_action(hapd, mgmt->sa, &tspec_resp, WMM_ACTION_CODE_ADDTS_RESP,
|
||||||
mgmt->u.action.u.wmm_action.dialog_token, res);
|
mgmt->u.action.u.wmm_action.dialog_token, res);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue