sae: check minimum anti-clogging token size

It is possible for a zero-length anti-clogging token payload to cause IWD to abort. If the length passed into sae_process_anti_clogging was 1, l_memdup would be called with a size of -1. This will cause malloc to abort. Fix this by checking for a minimum packet length and dropping the packet if the length is too small.
2024-11-17 09:29:22 +01:00 · 2019-07-17 09:58:18 -07:00 · 2019-07-17 09:58:18 -07:00 · 0241fe81df
commit 0241fe81df
parent fe3858f738
1 changed files with 8 additions and 3 deletions
--- a/src/sae.c
+++ b/src/sae.c
@ -651,10 +651,15 @@ static void sae_process_anti_clogging(struct sae_sm *sm, const uint8_t *ptr,
 	/*
 	 * IEEE 802.11-2016 - Section 12.4.6 Anti-clogging tokens
 	 *
-	 * It is suggested that an Anti-Clogging Token not exceed 256 octets
+	 * "It is suggested that an Anti-Clogging Token not exceed 256 octets"
+	 *
+	 * Also ensure the token is at least 1 byte. The packet passed in will
+	 * contain the group number, meaning the anti-clogging token length is
+	 * going to be 2 bytes less than the passed in length. This is why we
+	 * are checking 3 > len > 258.
 	 */
-	if (len > 256) {
-		l_error("anti-clogging token size %zu too large, 256 max", len);
+	if (len < 3 || len > 258) {
+		l_error("anti-clogging token size invalid %zu", len);
 		return;
 	}