From dc72854fe2fb726068de8c9bf2d0737b05cd975d Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 23 Feb 2021 00:30:09 +0200 Subject: [PATCH] Fix handle_auth_cb() message length check regression Reordering of code in handle_auth_cb() when adding support for full station state messaged up frame length checks. The length was originally tested before looking at the payload of the frame and that is obviously the correct location for that check. The location after those full state state changes was after having read six octets of the payload which did not help at all since there was no addition accesses to the payload after that check. Move the payload length check to appropriate place to get this extra level of protection behaving in the expected manner. Since this is a TX status callback handler, the frame payload is from a locally generated Authentication frame and as such, it will be long enough to include these fields in production use cases. Anyway, better keep this check in working condition. Fixes: bb598c3bdd06 ("AP: Add support for full station state") Signed-off-by: Jouni Malinen --- src/ap/ieee802_11.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 233da7bfc..40d4a3381 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -6202,6 +6202,15 @@ static void handle_auth_cb(struct hostapd_data *hapd, return; } + if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { + wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)", + (unsigned long) len); + auth_alg = 0; + auth_transaction = 0; + status_code = WLAN_STATUS_UNSPECIFIED_FAILURE; + goto fail; + } + auth_alg = le_to_host16(mgmt->u.auth.auth_alg); auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); status_code = le_to_host16(mgmt->u.auth.status_code); @@ -6213,12 +6222,6 @@ static void handle_auth_cb(struct hostapd_data *hapd, goto fail; } - if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { - wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)", - (unsigned long) len); - goto fail; - } - if (status_code == WLAN_STATUS_SUCCESS && ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) || (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {