commit 36b5e559f1387d4e02059753ecfb04461d62f381 Author: Jouni Malinen Date: Sat Sep 27 10:49:56 2008 +0300 Validate WEXT event iwe->u.data.length before using the event data This is needed to avoid crashing wpa_supplicant with invalid event messages that may be received when using 64-bit kernel with 32-bit userspace. diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c index a3c4733..6b7f1a7 100644 --- a/src/drivers/driver_wext.c +++ b/src/drivers/driver_wext.c @@ -652,12 +652,20 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv, } break; case IWEVMICHAELMICFAILURE: + if (custom + iwe->u.data.length > end) { + wpa_printf(MSG_DEBUG, "WEXT: Invalid " + "IWEVMICHAELMICFAILURE length"); + return; + } wpa_driver_wext_event_wireless_michaelmicfailure( ctx, custom, iwe->u.data.length); break; case IWEVCUSTOM: - if (custom + iwe->u.data.length > end) + if (custom + iwe->u.data.length > end) { + wpa_printf(MSG_DEBUG, "WEXT: Invalid " + "IWEVCUSTOM length"); return; + } buf = os_malloc(iwe->u.data.length + 1); if (buf == NULL) return; @@ -673,14 +681,29 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv, wpa_supplicant_event(ctx, EVENT_SCAN_RESULTS, NULL); break; case IWEVASSOCREQIE: + if (custom + iwe->u.data.length > end) { + wpa_printf(MSG_DEBUG, "WEXT: Invalid " + "IWEVASSOCREQIE length"); + return; + } wpa_driver_wext_event_wireless_assocreqie( drv, custom, iwe->u.data.length); break; case IWEVASSOCRESPIE: + if (custom + iwe->u.data.length > end) { + wpa_printf(MSG_DEBUG, "WEXT: Invalid " + "IWEVASSOCRESPIE length"); + return; + } wpa_driver_wext_event_wireless_assocrespie( drv, custom, iwe->u.data.length); break; case IWEVPMKIDCAND: + if (custom + iwe->u.data.length > end) { + wpa_printf(MSG_DEBUG, "WEXT: Invalid " + "IWEVPMKIDCAND length"); + return; + } wpa_driver_wext_event_wireless_pmkidcand( drv, custom, iwe->u.data.length); break;