From 0241fe81dff67f4b134e01d10bd884e9509a9d6f Mon Sep 17 00:00:00 2001 From: James Prestwood Date: Wed, 17 Jul 2019 09:58:18 -0700 Subject: [PATCH] sae: check minimum anti-clogging token size It is possible for a zero-length anti-clogging token payload to cause IWD to abort. If the length passed into sae_process_anti_clogging was 1, l_memdup would be called with a size of -1. This will cause malloc to abort. Fix this by checking for a minimum packet length and dropping the packet if the length is too small. --- src/sae.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/sae.c b/src/sae.c index c29b4d6c..8f9425f1 100644 --- a/src/sae.c +++ b/src/sae.c @@ -651,10 +651,15 @@ static void sae_process_anti_clogging(struct sae_sm *sm, const uint8_t *ptr, /* * IEEE 802.11-2016 - Section 12.4.6 Anti-clogging tokens * - * It is suggested that an Anti-Clogging Token not exceed 256 octets + * "It is suggested that an Anti-Clogging Token not exceed 256 octets" + * + * Also ensure the token is at least 1 byte. The packet passed in will + * contain the group number, meaning the anti-clogging token length is + * going to be 2 bytes less than the passed in length. This is why we + * are checking 3 > len > 258. */ - if (len > 256) { - l_error("anti-clogging token size %zu too large, 256 max", len); + if (len < 3 || len > 258) { + l_error("anti-clogging token size invalid %zu", len); return; }