66 lines
2.1 KiB
Diff
66 lines
2.1 KiB
Diff
commit 36b5e559f1387d4e02059753ecfb04461d62f381
|
|
Author: Jouni Malinen <jouni.malinen@atheros.com>
|
|
Date: Sat Sep 27 10:49:56 2008 +0300
|
|
|
|
Validate WEXT event iwe->u.data.length before using the event data
|
|
|
|
This is needed to avoid crashing wpa_supplicant with invalid event messages
|
|
that may be received when using 64-bit kernel with 32-bit userspace.
|
|
|
|
diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c
|
|
index a3c4733..6b7f1a7 100644
|
|
--- a/src/drivers/driver_wext.c
|
|
+++ b/src/drivers/driver_wext.c
|
|
@@ -652,12 +652,20 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv,
|
|
}
|
|
break;
|
|
case IWEVMICHAELMICFAILURE:
|
|
+ if (custom + iwe->u.data.length > end) {
|
|
+ wpa_printf(MSG_DEBUG, "WEXT: Invalid "
|
|
+ "IWEVMICHAELMICFAILURE length");
|
|
+ return;
|
|
+ }
|
|
wpa_driver_wext_event_wireless_michaelmicfailure(
|
|
ctx, custom, iwe->u.data.length);
|
|
break;
|
|
case IWEVCUSTOM:
|
|
- if (custom + iwe->u.data.length > end)
|
|
+ if (custom + iwe->u.data.length > end) {
|
|
+ wpa_printf(MSG_DEBUG, "WEXT: Invalid "
|
|
+ "IWEVCUSTOM length");
|
|
return;
|
|
+ }
|
|
buf = os_malloc(iwe->u.data.length + 1);
|
|
if (buf == NULL)
|
|
return;
|
|
@@ -673,14 +681,29 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv,
|
|
wpa_supplicant_event(ctx, EVENT_SCAN_RESULTS, NULL);
|
|
break;
|
|
case IWEVASSOCREQIE:
|
|
+ if (custom + iwe->u.data.length > end) {
|
|
+ wpa_printf(MSG_DEBUG, "WEXT: Invalid "
|
|
+ "IWEVASSOCREQIE length");
|
|
+ return;
|
|
+ }
|
|
wpa_driver_wext_event_wireless_assocreqie(
|
|
drv, custom, iwe->u.data.length);
|
|
break;
|
|
case IWEVASSOCRESPIE:
|
|
+ if (custom + iwe->u.data.length > end) {
|
|
+ wpa_printf(MSG_DEBUG, "WEXT: Invalid "
|
|
+ "IWEVASSOCRESPIE length");
|
|
+ return;
|
|
+ }
|
|
wpa_driver_wext_event_wireless_assocrespie(
|
|
drv, custom, iwe->u.data.length);
|
|
break;
|
|
case IWEVPMKIDCAND:
|
|
+ if (custom + iwe->u.data.length > end) {
|
|
+ wpa_printf(MSG_DEBUG, "WEXT: Invalid "
|
|
+ "IWEVPMKIDCAND length");
|
|
+ return;
|
|
+ }
|
|
wpa_driver_wext_event_wireless_pmkidcand(
|
|
drv, custom, iwe->u.data.length);
|
|
break;
|