Move SA Query frame length check to the shared handler function
Check the length in the common handler functions instead of both callers. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
		
							parent
							
								
									002edb6303
								
							
						
					
					
						commit
						700b3f395e
					
				
					 3 changed files with 12 additions and 22 deletions
				
			
		|  | @ -1110,8 +1110,9 @@ static void hostapd_action_rx(struct hostapd_data *hapd, | ||||||
| 	} | 	} | ||||||
| #endif /* CONFIG_IEEE80211R_AP */ | #endif /* CONFIG_IEEE80211R_AP */ | ||||||
| #ifdef CONFIG_IEEE80211W | #ifdef CONFIG_IEEE80211W | ||||||
| 	if (mgmt->u.action.category == WLAN_ACTION_SA_QUERY && plen >= 4) { | 	if (mgmt->u.action.category == WLAN_ACTION_SA_QUERY) { | ||||||
| 		ieee802_11_sa_query_action(hapd, mgmt, drv_mgmt->frame_len); | 		ieee802_11_sa_query_action(hapd, mgmt, drv_mgmt->frame_len); | ||||||
|  | 		return; | ||||||
| 	} | 	} | ||||||
| #endif /* CONFIG_IEEE80211W */ | #endif /* CONFIG_IEEE80211W */ | ||||||
| #ifdef CONFIG_WNM_AP | #ifdef CONFIG_WNM_AP | ||||||
|  |  | ||||||
|  | @ -4102,26 +4102,6 @@ static void handle_beacon(struct hostapd_data *hapd, | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| #ifdef CONFIG_IEEE80211W | #ifdef CONFIG_IEEE80211W | ||||||
| 
 |  | ||||||
| static int hostapd_sa_query_action(struct hostapd_data *hapd, |  | ||||||
| 				   const struct ieee80211_mgmt *mgmt, |  | ||||||
| 				   size_t len) |  | ||||||
| { |  | ||||||
| 	const u8 *end; |  | ||||||
| 
 |  | ||||||
| 	end = mgmt->u.action.u.sa_query_resp.trans_id + |  | ||||||
| 		WLAN_SA_QUERY_TR_ID_LEN; |  | ||||||
| 	if (((u8 *) mgmt) + len < end) { |  | ||||||
| 		wpa_printf(MSG_DEBUG, "IEEE 802.11: Too short SA Query Action " |  | ||||||
| 			   "frame (len=%lu)", (unsigned long) len); |  | ||||||
| 		return 0; |  | ||||||
| 	} |  | ||||||
| 
 |  | ||||||
| 	ieee802_11_sa_query_action(hapd, mgmt, len); |  | ||||||
| 	return 1; |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| static int robust_action_frame(u8 category) | static int robust_action_frame(u8 category) | ||||||
| { | { | ||||||
| 	return category != WLAN_ACTION_PUBLIC && | 	return category != WLAN_ACTION_PUBLIC && | ||||||
|  | @ -4207,7 +4187,8 @@ static int handle_action(struct hostapd_data *hapd, | ||||||
| 		return 1; | 		return 1; | ||||||
| #ifdef CONFIG_IEEE80211W | #ifdef CONFIG_IEEE80211W | ||||||
| 	case WLAN_ACTION_SA_QUERY: | 	case WLAN_ACTION_SA_QUERY: | ||||||
| 		return hostapd_sa_query_action(hapd, mgmt, len); | 		ieee802_11_sa_query_action(hapd, mgmt, len); | ||||||
|  | 		return 1; | ||||||
| #endif /* CONFIG_IEEE80211W */ | #endif /* CONFIG_IEEE80211W */ | ||||||
| #ifdef CONFIG_WNM_AP | #ifdef CONFIG_WNM_AP | ||||||
| 	case WLAN_ACTION_WNM: | 	case WLAN_ACTION_WNM: | ||||||
|  |  | ||||||
|  | @ -213,6 +213,14 @@ void ieee802_11_sa_query_action(struct hostapd_data *hapd, | ||||||
| 	const u8 action_type = mgmt->u.action.u.sa_query_resp.action; | 	const u8 action_type = mgmt->u.action.u.sa_query_resp.action; | ||||||
| 	const u8 *trans_id = mgmt->u.action.u.sa_query_resp.trans_id; | 	const u8 *trans_id = mgmt->u.action.u.sa_query_resp.trans_id; | ||||||
| 
 | 
 | ||||||
|  | 	if (((const u8 *) mgmt) + len < | ||||||
|  | 	    mgmt->u.action.u.sa_query_resp.variable) { | ||||||
|  | 		wpa_printf(MSG_DEBUG, | ||||||
|  | 			   "IEEE 802.11: Too short SA Query Action frame (len=%lu)", | ||||||
|  | 			   (unsigned long) len); | ||||||
|  | 		return; | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	sta = ap_get_sta(hapd, sa); | 	sta = ap_get_sta(hapd, sa); | ||||||
| 
 | 
 | ||||||
| #ifdef CONFIG_OCV | #ifdef CONFIG_OCV | ||||||
|  |  | ||||||
		Loading…
	
		Reference in a new issue
	
	 Jouni Malinen
						Jouni Malinen