jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

HS 2.0: Clarify OSU Friendly Name length validation

Browse source 
This extends the changes in commit 0570a3ea7d ("HS 2.0: Clarify OSU
Provider list length validation") to cover the length field for the OSU
Friendly Name value to try to get this easier for static analyzers to
understand.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2020-11-03 19:56:39 +02:00 committed by Jouni Malinen
parent 05962099c3
commit ec0d99c00e
1 changed files with 15 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
wpa_supplicant/hs20_supplicant.c
View file

@ -901,14 +901,25 @@ static void hs20_osu_add_prov(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
/* OSU Friendly Name Duples */
while (pos - pos2 >= 4 && prov->friendly_name_count < OSU_MAX_ITEMS) {
struct osu_lang_string *f;
if (1 + pos2[0] > pos - pos2 || pos2[0] < 3) {
u8 slen;
slen = pos2[0];
if (1 + slen > pos - pos2) {
wpa_printf(MSG_DEBUG, "Invalid OSU Friendly Name");
break;
}
if (slen < 3) {
wpa_printf(MSG_DEBUG,
"Invalid OSU Friendly Name (no room for language)");
break;
}
f = &prov->friendly_name[prov->friendly_name_count++];
os_memcpy(f->lang, pos2 + 1, 3);
os_memcpy(f->text, pos2 + 1 + 3, pos2[0] - 3);
pos2 += 1 + pos2[0];
pos2++;
os_memcpy(f->lang, pos2, 3);
pos2 += 3;
slen -= 3;
os_memcpy(f->text, pos2, slen);
pos2 += slen;
}
/* OSU Server URI */