jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

WPS: Add explicit message length limit of 50000 bytes

Browse source 
Previously, this was implicitly limited by the 16-bit length field to
65535. This resulted in unhelpful static analyzer warnings (CID 62868).
Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid
this. The actual WSC messages are significantly shorter in practice, but
there is no specific protocol limit, so 50000 is as good as any limit to
use here.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-11-23 20:57:34 +02:00
parent 5c6787a6ca
commit adf96fb66b
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/eap_peer/eap_wsc.c
View file

@ -462,7 +462,7 @@ static struct wpabuf * eap_wsc_process(struct eap_sm *sm, void *priv,
message_length = WPA_GET_BE16(pos); message_length = WPA_GET_BE16(pos);
pos += 2; pos += 2;
if (message_length < end - pos) { if (message_length < end - pos || message_length > 50000) {
wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid Message " wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid Message "
"Length"); "Length");
ret->ignore = TRUE; ret->ignore = TRUE;

2
src/eap_server/eap_server_wsc.c
View file

@ -380,7 +380,7 @@ static void eap_wsc_process(struct eap_sm *sm, void *priv,
message_length = WPA_GET_BE16(pos); message_length = WPA_GET_BE16(pos);
pos += 2; pos += 2;
if (message_length < end - pos) { if (message_length < end - pos || message_length > 50000) {
wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid Message " wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid Message "
"Length"); "Length");
return; return;