From d3fa2bbb0278ffe34fc4486f04c4281a2b100c67 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 30 Jun 2014 00:43:28 +0300 Subject: [PATCH] WFD: Explicit limit for subelement length (CID 68127) This adds an explicit limit for the maximum Wi-Fi Display subelement length for ASCII hexdump. This would not really be needed since the buffer is already limited by maximum frame length. Anyway, since this can make static analyzers happier and the subelement used with this function is short, we may as well include an explicit check. Signed-off-by: Jouni Malinen --- wpa_supplicant/wifi_display.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/wpa_supplicant/wifi_display.c b/wpa_supplicant/wifi_display.c index f0c43644d..b6f923638 100644 --- a/wpa_supplicant/wifi_display.c +++ b/wpa_supplicant/wifi_display.c @@ -280,6 +280,16 @@ char * wifi_display_subelem_hex(const struct wpabuf *wfd_subelems, u8 id) break; /* truncated subelement */ if (buf[i] == id) { + /* + * Limit explicitly to an arbitrary length to avoid + * unnecessarily large allocations. In practice, this + * is limited to maximum frame length anyway, so the + * maximum memory allocation here is not really that + * large. Anyway, the Wi-Fi Display subelements that + * are fetched with this function are even shorter. + */ + if (elen > 1000) + break; subelem = os_zalloc(2 * elen + 1); if (!subelem) return NULL;