From fd66aa63f4390b9a6155a9b6fd9ebcb37e7290dd Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 3 May 2015 16:24:01 +0300 Subject: [PATCH] Check Public Action length explicitly before reading Action Code In theory, the previous version could have resulted in reading one byte beyond the end of the management frame RX buffer if the local driver were to deliver a truncated Public Action frame for processing. In practice, this did not seem to happen with mac80211-based drivers and even if it were, the extra octet would be an uninitialized value in a buffer rather than read beyond the end of the buffer. Signed-off-by: Jouni Malinen --- src/ap/ieee802_11.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 9e7d70dec..8d2a06637 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -2098,7 +2098,8 @@ static int handle_action(struct hostapd_data *hapd, case WLAN_ACTION_PUBLIC: case WLAN_ACTION_PROTECTED_DUAL: #ifdef CONFIG_IEEE80211N - if (mgmt->u.action.u.public_action.action == + if (len >= IEEE80211_HDRLEN + 2 && + mgmt->u.action.u.public_action.action == WLAN_PA_20_40_BSS_COEX) { wpa_printf(MSG_DEBUG, "HT20/40 coex mgmt frame received from STA "