3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-21 11:52:34 +01:00

sae: check minimum anti-clogging token size

It is possible for a zero-length anti-clogging token payload to cause
IWD to abort. If the length passed into sae_process_anti_clogging was
1, l_memdup would be called with a size of -1. This will cause malloc
to abort.

Fix this by checking for a minimum packet length and dropping the
packet if the length is too small.
This commit is contained in:
James Prestwood 2019-07-17 09:58:18 -07:00 committed by Denis Kenzior
parent fe3858f738
commit 0241fe81df

View File

@ -651,10 +651,15 @@ static void sae_process_anti_clogging(struct sae_sm *sm, const uint8_t *ptr,
/* /*
* IEEE 802.11-2016 - Section 12.4.6 Anti-clogging tokens * IEEE 802.11-2016 - Section 12.4.6 Anti-clogging tokens
* *
* It is suggested that an Anti-Clogging Token not exceed 256 octets * "It is suggested that an Anti-Clogging Token not exceed 256 octets"
*
* Also ensure the token is at least 1 byte. The packet passed in will
* contain the group number, meaning the anti-clogging token length is
* going to be 2 bytes less than the passed in length. This is why we
* are checking 3 > len > 258.
*/ */
if (len > 256) { if (len < 3 || len > 258) {
l_error("anti-clogging token size %zu too large, 256 max", len); l_error("anti-clogging token size invalid %zu", len);
return; return;
} }