mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-12-21 03:32:42 +01:00
sae: check minimum anti-clogging token size
It is possible for a zero-length anti-clogging token payload to cause IWD to abort. If the length passed into sae_process_anti_clogging was 1, l_memdup would be called with a size of -1. This will cause malloc to abort. Fix this by checking for a minimum packet length and dropping the packet if the length is too small.
This commit is contained in:
parent
fe3858f738
commit
0241fe81df
11
src/sae.c
11
src/sae.c
@ -651,10 +651,15 @@ static void sae_process_anti_clogging(struct sae_sm *sm, const uint8_t *ptr,
|
||||
/*
|
||||
* IEEE 802.11-2016 - Section 12.4.6 Anti-clogging tokens
|
||||
*
|
||||
* It is suggested that an Anti-Clogging Token not exceed 256 octets
|
||||
* "It is suggested that an Anti-Clogging Token not exceed 256 octets"
|
||||
*
|
||||
* Also ensure the token is at least 1 byte. The packet passed in will
|
||||
* contain the group number, meaning the anti-clogging token length is
|
||||
* going to be 2 bytes less than the passed in length. This is why we
|
||||
* are checking 3 > len > 258.
|
||||
*/
|
||||
if (len > 256) {
|
||||
l_error("anti-clogging token size %zu too large, 256 max", len);
|
||||
if (len < 3 || len > 258) {
|
||||
l_error("anti-clogging token size invalid %zu", len);
|
||||
return;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user