diff options
author | Bjoern A. Zeeb <bz@FreeBSD.org> | 2022-08-17 16:48:37 +0000 |
---|---|---|
committer | Bjoern A. Zeeb <bz@FreeBSD.org> | 2022-09-21 11:46:45 +0000 |
commit | 31b4fa3dbcf16ca81293efacd38b7d937d1df07e (patch) | |
tree | d1f956254bfe1290c7f2ee94b3e262dcf66d095f /sys/net80211 | |
parent | d829107707914fa41dec07cd263fee12a9ec8b46 (diff) | |
download | src-31b4fa3dbcf16ca81293efacd38b7d937d1df07e.tar.gz src-31b4fa3dbcf16ca81293efacd38b7d937d1df07e.zip |
net80211: ieee80211_ies_expand() add extra length check
Make sure the given IE length fits into the total length left when
parsing through the information elements. In theory I would say
discard everything if there is an error but that proves hard with
the current code.
Sponsored by: The FreeBSD Foundation
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D36245
(cherry picked from commit 9d2ba51806c32e7ea8ad83439cb48df91575b5bf)
Diffstat (limited to 'sys/net80211')
-rw-r--r-- | sys/net80211/ieee80211_node.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c index a739b0586088..bc8a240811de 100644 --- a/sys/net80211/ieee80211_node.c +++ b/sys/net80211/ieee80211_node.c @@ -1137,6 +1137,14 @@ ieee80211_ies_expand(struct ieee80211_ies *ies) ie = ies->data; ielen = ies->len; while (ielen > 1) { + /* Make sure the given IE length fits into the total length. */ + if ((2 + ie[1]) > ielen) { + printf("%s: malformed IEs! ies %p { data %p len %d }: " + "ie %u len 2+%u > total len left %d\n", + __func__, ies, ies->data, ies->len, + ie[0], ie[1], ielen); + return; + } switch (ie[0]) { case IEEE80211_ELEMID_VENDOR: if (iswpaoui(ie)) |