jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

FST: Avoid using pointer to mgmt->u.action.u.fst_action

Browse source 
Typecasting &mgmt->u.action.u.fst_action to a struct pointer for various
FST Action frame payloads seemed to be triggering static analyzer
warnings about bounds checking since sizeof(mgmt->u.action.u.fst_action)
== 1 even though that is really a variable length structure. Try to
avoid this by calculating the pointer for the beginning of the frame
instead of variable length struct. (CID 125642)

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2015-07-17 20:37:15 +03:00 committed by Jouni Malinen
parent 85b563f7a4
commit 6462e7387d
1 changed files with 15 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
src/fst/fst_session.c
View file

@ -359,8 +359,7 @@ static void fst_session_handle_setup_request(struct fst_iface *iface,
size_t frame_len) size_t frame_len)
{ {
struct fst_session *s; struct fst_session *s;
const struct fst_setup_req *req = const struct fst_setup_req *req;
(const struct fst_setup_req *) &mgmt->u.action.u.fst_action;
struct fst_iface *new_iface = NULL; struct fst_iface *new_iface = NULL;
struct fst_group *g; struct fst_group *g;
u8 new_iface_peer_addr[ETH_ALEN]; u8 new_iface_peer_addr[ETH_ALEN];
@ -375,6 +374,8 @@ static void fst_session_handle_setup_request(struct fst_iface *iface,
return; return;
} }
plen = frame_len - IEEE80211_HDRLEN - 1; plen = frame_len - IEEE80211_HDRLEN - 1;
req = (const struct fst_setup_req *)
(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
if (req->stie.new_band_id == req->stie.old_band_id) { if (req->stie.new_band_id == req->stie.old_band_id) {
fst_printf_iface(iface, MSG_WARNING, fst_printf_iface(iface, MSG_WARNING,
@ -509,8 +510,7 @@ static void fst_session_handle_setup_response(struct fst_session *s,
const struct ieee80211_mgmt *mgmt, const struct ieee80211_mgmt *mgmt,
size_t frame_len) size_t frame_len)
{ {
const struct fst_setup_res *res = const struct fst_setup_res *res;
(const struct fst_setup_res *) &mgmt->u.action.u.fst_action;
size_t plen = frame_len - IEEE80211_HDRLEN - 1; size_t plen = frame_len - IEEE80211_HDRLEN - 1;
enum hostapd_hw_mode hw_mode; enum hostapd_hw_mode hw_mode;
u8 channel; u8 channel;
@ -537,6 +537,8 @@ static void fst_session_handle_setup_response(struct fst_session *s,
"Too short FST Response dropped"); "Too short FST Response dropped");
return; return;
} }
res = (const struct fst_setup_res *)
(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
if (res->dialog_token != s->data.pending_setup_req_dlgt) { if (res->dialog_token != s->data.pending_setup_req_dlgt) {
fst_printf_session(s, MSG_WARNING, fst_printf_session(s, MSG_WARNING,
@ -604,8 +606,7 @@ static void fst_session_handle_tear_down(struct fst_session *s,
const struct ieee80211_mgmt *mgmt, const struct ieee80211_mgmt *mgmt,
size_t frame_len) size_t frame_len)
{ {
const struct fst_tear_down *td = const struct fst_tear_down *td;
(const struct fst_tear_down *) &mgmt->u.action.u.fst_action;
size_t plen = frame_len - IEEE80211_HDRLEN - 1; size_t plen = frame_len - IEEE80211_HDRLEN - 1;
union fst_session_state_switch_extra evext = { union fst_session_state_switch_extra evext = {
.to_initial = { .to_initial = {
@ -624,6 +625,8 @@ static void fst_session_handle_tear_down(struct fst_session *s,
"Too short FST Tear Down dropped"); "Too short FST Tear Down dropped");
return; return;
} }
td = (const struct fst_tear_down *)
(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
if (le_to_host32(td->fsts_id) != s->data.fsts_id) { if (le_to_host32(td->fsts_id) != s->data.fsts_id) {
fst_printf_siface(s, iface, MSG_WARNING, fst_printf_siface(s, iface, MSG_WARNING,
@ -643,8 +646,7 @@ static void fst_session_handle_ack_request(struct fst_session *s,
const struct ieee80211_mgmt *mgmt, const struct ieee80211_mgmt *mgmt,
size_t frame_len) size_t frame_len)
{ {
const struct fst_ack_req *req = const struct fst_ack_req *req;
(const struct fst_ack_req *) &mgmt->u.action.u.fst_action;
size_t plen = frame_len - IEEE80211_HDRLEN - 1; size_t plen = frame_len - IEEE80211_HDRLEN - 1;
struct fst_ack_res res; struct fst_ack_res res;
union fst_session_state_switch_extra evext = { union fst_session_state_switch_extra evext = {
@ -674,6 +676,8 @@ static void fst_session_handle_ack_request(struct fst_session *s,
"Too short FST Ack Request dropped"); "Too short FST Ack Request dropped");
return; return;
} }
req = (const struct fst_ack_req *)
(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
if (le_to_host32(req->fsts_id) != s->data.fsts_id) { if (le_to_host32(req->fsts_id) != s->data.fsts_id) {
fst_printf_siface(s, iface, MSG_WARNING, fst_printf_siface(s, iface, MSG_WARNING,
@ -706,8 +710,7 @@ fst_session_handle_ack_response(struct fst_session *s,
const struct ieee80211_mgmt *mgmt, const struct ieee80211_mgmt *mgmt,
size_t frame_len) size_t frame_len)
{ {
const struct fst_ack_res *res = const struct fst_ack_res *res;
(const struct fst_ack_res *) &mgmt->u.action.u.fst_action;
size_t plen = frame_len - IEEE80211_HDRLEN - 1; size_t plen = frame_len - IEEE80211_HDRLEN - 1;
union fst_session_state_switch_extra evext = { union fst_session_state_switch_extra evext = {
.to_initial = { .to_initial = {
@ -736,6 +739,8 @@ fst_session_handle_ack_response(struct fst_session *s,
"Too short FST Ack Response dropped"); "Too short FST Ack Response dropped");
return; return;
} }
res = (const struct fst_ack_res *)
(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
if (le_to_host32(res->fsts_id) != s->data.fsts_id) { if (le_to_host32(res->fsts_id) != s->data.fsts_id) {
fst_printf_siface(s, iface, MSG_ERROR, fst_printf_siface(s, iface, MSG_ERROR,