From e8ebef87cb4bb57a9d4b1ca3bc1ee2979ff8c297 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 24 May 2019 16:59:25 +0300 Subject: [PATCH] WNM: Fix BSS Termination Duration subelement length validation The length check for the BSS Termination Duration subelement was accidentally removed and this could result in reading up to 10 bytes beyond the end of a received frame. The actual read bytes would be stored locally, but they were not used for anything, so other than reading beyond the end of an allocated heap memory buffer, this did not result in any behavior difference or exposure of the bytes. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14922 Fixes: 093226783dc7 ("WNM: Simplify how candidate subelements are stored") Signed-off-by: Jouni Malinen --- wpa_supplicant/wnm_sta.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c index 22a21361a..e6d7d6689 100644 --- a/wpa_supplicant/wnm_sta.c +++ b/wpa_supplicant/wnm_sta.c @@ -451,6 +451,11 @@ static void wnm_parse_neighbor_report_elem(struct neighbor_report *rep, rep->preference_present = 1; break; case WNM_NEIGHBOR_BSS_TERMINATION_DURATION: + if (elen < 10) { + wpa_printf(MSG_DEBUG, + "WNM: Too short BSS termination duration"); + break; + } rep->bss_term_tsf = WPA_GET_LE64(pos); rep->bss_term_dur = WPA_GET_LE16(pos + 8); rep->bss_term_present = 1;