3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-21 03:32:42 +01:00

sae: check minimum anti-clogging token size

It is possible for a zero-length anti-clogging token payload to cause
IWD to abort. If the length passed into sae_process_anti_clogging was
1, l_memdup would be called with a size of -1. This will cause malloc
to abort.

Fix this by checking for a minimum packet length and dropping the
packet if the length is too small.
This commit is contained in:
James Prestwood 2019-07-17 09:58:18 -07:00 committed by Denis Kenzior
parent fe3858f738
commit 0241fe81df

View File

@ -651,10 +651,15 @@ static void sae_process_anti_clogging(struct sae_sm *sm, const uint8_t *ptr,
/*
* IEEE 802.11-2016 - Section 12.4.6 Anti-clogging tokens
*
* It is suggested that an Anti-Clogging Token not exceed 256 octets
* "It is suggested that an Anti-Clogging Token not exceed 256 octets"
*
* Also ensure the token is at least 1 byte. The packet passed in will
* contain the group number, meaning the anti-clogging token length is
* going to be 2 bytes less than the passed in length. This is why we
* are checking 3 > len > 258.
*/
if (len > 256) {
l_error("anti-clogging token size %zu too large, 256 max", len);
if (len < 3 || len > 258) {
l_error("anti-clogging token size invalid %zu", len);
return;
}