Move SA Query frame length check to the shared handler function

Check the length in the common handler functions instead of both
callers.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-03-09 12:40:05 +02:00
parent 002edb6303
commit 700b3f395e
3 changed files with 12 additions and 22 deletions

View file

@ -1110,8 +1110,9 @@ static void hostapd_action_rx(struct hostapd_data *hapd,
} }
#endif /* CONFIG_IEEE80211R_AP */ #endif /* CONFIG_IEEE80211R_AP */
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
if (mgmt->u.action.category == WLAN_ACTION_SA_QUERY && plen >= 4) { if (mgmt->u.action.category == WLAN_ACTION_SA_QUERY) {
ieee802_11_sa_query_action(hapd, mgmt, drv_mgmt->frame_len); ieee802_11_sa_query_action(hapd, mgmt, drv_mgmt->frame_len);
return;
} }
#endif /* CONFIG_IEEE80211W */ #endif /* CONFIG_IEEE80211W */
#ifdef CONFIG_WNM_AP #ifdef CONFIG_WNM_AP

View file

@ -4102,26 +4102,6 @@ static void handle_beacon(struct hostapd_data *hapd,
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
static int hostapd_sa_query_action(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt,
size_t len)
{
const u8 *end;
end = mgmt->u.action.u.sa_query_resp.trans_id +
WLAN_SA_QUERY_TR_ID_LEN;
if (((u8 *) mgmt) + len < end) {
wpa_printf(MSG_DEBUG, "IEEE 802.11: Too short SA Query Action "
"frame (len=%lu)", (unsigned long) len);
return 0;
}
ieee802_11_sa_query_action(hapd, mgmt, len);
return 1;
}
static int robust_action_frame(u8 category) static int robust_action_frame(u8 category)
{ {
return category != WLAN_ACTION_PUBLIC && return category != WLAN_ACTION_PUBLIC &&
@ -4207,7 +4187,8 @@ static int handle_action(struct hostapd_data *hapd,
return 1; return 1;
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
case WLAN_ACTION_SA_QUERY: case WLAN_ACTION_SA_QUERY:
return hostapd_sa_query_action(hapd, mgmt, len); ieee802_11_sa_query_action(hapd, mgmt, len);
return 1;
#endif /* CONFIG_IEEE80211W */ #endif /* CONFIG_IEEE80211W */
#ifdef CONFIG_WNM_AP #ifdef CONFIG_WNM_AP
case WLAN_ACTION_WNM: case WLAN_ACTION_WNM:

View file

@ -213,6 +213,14 @@ void ieee802_11_sa_query_action(struct hostapd_data *hapd,
const u8 action_type = mgmt->u.action.u.sa_query_resp.action; const u8 action_type = mgmt->u.action.u.sa_query_resp.action;
const u8 *trans_id = mgmt->u.action.u.sa_query_resp.trans_id; const u8 *trans_id = mgmt->u.action.u.sa_query_resp.trans_id;
if (((const u8 *) mgmt) + len <
mgmt->u.action.u.sa_query_resp.variable) {
wpa_printf(MSG_DEBUG,
"IEEE 802.11: Too short SA Query Action frame (len=%lu)",
(unsigned long) len);
return;
}
sta = ap_get_sta(hapd, sa); sta = ap_get_sta(hapd, sa);
#ifdef CONFIG_OCV #ifdef CONFIG_OCV