From 93a06fe103932167afeff61953239925221832b9 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 20 Nov 2013 12:08:09 +0200 Subject: [PATCH] Fix QoS Map Configure frame use The QoS Map Set element was passed in full to the driver instead of just the payload of the element. This resulted in the updated QoS Map being rejected. Validate the element id/len and send only the payload to the driver. Signed-hostap: Jouni Malinen --- wpa_supplicant/events.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index 44e6be343..b70e1fb71 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -3028,12 +3028,15 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event, if (data->rx_action.category == WLAN_ACTION_QOS && data->rx_action.len >= 1 && data->rx_action.data[0] == QOS_QOS_MAP_CONFIG) { + const u8 *pos = data->rx_action.data + 1; + size_t len = data->rx_action.len - 1; wpa_dbg(wpa_s, MSG_DEBUG, "Interworking: Received QoS Map Configure frame from " MACSTR, MAC2STR(data->rx_action.sa)); - if (os_memcmp(data->rx_action.sa, wpa_s->bssid, ETH_ALEN) - == 0) - wpas_qos_map_set(wpa_s, data->rx_action.data + 1, - data->rx_action.len - 1); + if (os_memcmp(data->rx_action.sa, wpa_s->bssid, + ETH_ALEN) == 0 && + len > 2 && pos[0] == WLAN_EID_QOS_MAP_SET && + pos[1] <= len - 2 && pos[1] >= 16) + wpas_qos_map_set(wpa_s, pos + 2, pos[1]); break; } #endif /* CONFIG_INTERWORKING */