Check Public Action length explicitly before reading Action Code

In theory, the previous version could have resulted in reading one byte beyond the end of the management frame RX buffer if the local driver were to deliver a truncated Public Action frame for processing. In practice, this did not seem to happen with mac80211-based drivers and even if it were, the extra octet would be an uninitialized value in a buffer rather than read beyond the end of the buffer. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:24:01 +03:00 · 2015-05-03 16:24:01 +03:00 · fd66aa63f4
parent ff4a6d4382
commit fd66aa63f4
1 changed files with 2 additions and 1 deletions
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@ -2098,7 +2098,8 @@ static int handle_action(struct hostapd_data *hapd,
 	case WLAN_ACTION_PUBLIC:
 	case WLAN_ACTION_PROTECTED_DUAL:
 #ifdef CONFIG_IEEE80211N
-		if (mgmt->u.action.u.public_action.action ==
+		if (len >= IEEE80211_HDRLEN + 2 &&
+		    mgmt->u.action.u.public_action.action ==
 		    WLAN_PA_20_40_BSS_COEX) {
 			wpa_printf(MSG_DEBUG,
 				   "HT20/40 coex mgmt frame received from STA "