P2P: Fix validation on Invitation Request error path

It was possible for the error path to try to use P2P Group ID attribute even if one was not included in the message. This could result in dereferencing a NULL pointer, so re-check the pointer before copying the data. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 02:06:06 +02:00 · 2014-03-02 02:06:06 +02:00 · fa72a880ed
commit fa72a880ed
parent ca412c7a38
1 changed files with 10 additions and 5 deletions
--- a/src/p2p/p2p_invitation.c
+++ b/src/p2p/p2p_invitation.c
@ -359,12 +359,17 @@ fail:
 		p2p->inv_group_bssid_ptr = p2p->inv_group_bssid;
 	} else
 		p2p->inv_group_bssid_ptr = NULL;
-	if (msg.group_id_len - ETH_ALEN <= 32) {
-		os_memcpy(p2p->inv_ssid, msg.group_id + ETH_ALEN,
-			  msg.group_id_len - ETH_ALEN);
-		p2p->inv_ssid_len = msg.group_id_len - ETH_ALEN;
+	if (msg.group_id) {
+		if (msg.group_id_len - ETH_ALEN <= 32) {
+			os_memcpy(p2p->inv_ssid, msg.group_id + ETH_ALEN,
+				  msg.group_id_len - ETH_ALEN);
+			p2p->inv_ssid_len = msg.group_id_len - ETH_ALEN;
+		}
+		os_memcpy(p2p->inv_go_dev_addr, msg.group_id, ETH_ALEN);
+	} else {
+		p2p->inv_ssid_len = 0;
+		os_memset(p2p->inv_go_dev_addr, 0, ETH_ALEN);
 	}
-	os_memcpy(p2p->inv_go_dev_addr, msg.group_id, ETH_ALEN);
 	p2p->inv_status = status;
 	p2p->inv_op_freq = op_freq;