AP: Validate management frame length
Make sure that received management frames are long enough before processing them. This avoids a potential segmentation fault if a driver delivers an invalid frame all the way to hostapd.
This commit is contained in:
parent
e4d7b22a53
commit
cbcf92b42f
2 changed files with 5 additions and 0 deletions
|
@ -211,6 +211,8 @@ void handle_probe_req(struct hostapd_data *hapd,
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
ie = mgmt->u.probe_req.variable;
|
ie = mgmt->u.probe_req.variable;
|
||||||
|
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req))
|
||||||
|
return;
|
||||||
ie_len = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req));
|
ie_len = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req));
|
||||||
|
|
||||||
for (i = 0; hapd->probereq_cb && i < hapd->num_probereq_cb; i++)
|
for (i = 0; hapd->probereq_cb && i < hapd->num_probereq_cb; i++)
|
||||||
|
|
|
@ -1460,6 +1460,9 @@ void ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
|
||||||
int broadcast;
|
int broadcast;
|
||||||
u16 fc, stype;
|
u16 fc, stype;
|
||||||
|
|
||||||
|
if (len < 24)
|
||||||
|
return;
|
||||||
|
|
||||||
mgmt = (struct ieee80211_mgmt *) buf;
|
mgmt = (struct ieee80211_mgmt *) buf;
|
||||||
fc = le_to_host16(mgmt->frame_control);
|
fc = le_to_host16(mgmt->frame_control);
|
||||||
stype = WLAN_FC_GET_STYPE(fc);
|
stype = WLAN_FC_GET_STYPE(fc);
|
||||||
|
|
Loading…
Reference in a new issue