mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-12-22 21:22:37 +01:00
ap: Fix invalid length argument to ap_build_beacon_pr_head
Previously resp was a simple array of bytes allocated on the stack.
This was changed to a dynamically allocated array, but the sizeof(resp)
argument to ap_build_beacon_pr_head() was never changed appropriately.
Fix this by introducing a new resp_len variable that holds the number of
bytes allocated for resp. Also, move the allocation after the basic
sanity checks have been performed to avoid allocating/freeing memory
unnecessarily.
Fixes: 18a63f91fd
("ap: Write extra frame IEs from the user")
This commit is contained in:
parent
e0f21ed293
commit
29dd246f5e
13
src/ap.c
13
src/ap.c
@ -1864,10 +1864,8 @@ static void ap_probe_req_cb(const struct mmpdu_header *hdr, const void *body,
|
|||||||
struct ie_tlv_iter iter;
|
struct ie_tlv_iter iter;
|
||||||
const uint8_t *bssid = netdev_get_address(ap->netdev);
|
const uint8_t *bssid = netdev_get_address(ap->netdev);
|
||||||
bool match = false;
|
bool match = false;
|
||||||
L_AUTO_FREE_VAR(uint8_t *, resp) =
|
uint32_t resp_len;
|
||||||
l_malloc(512 + ap_get_extra_ies_len(ap,
|
uint8_t *resp;
|
||||||
MPDU_MANAGEMENT_SUBTYPE_PROBE_RESPONSE, hdr,
|
|
||||||
body + body_len - (void *) hdr));
|
|
||||||
|
|
||||||
l_info("AP Probe Request from %s",
|
l_info("AP Probe Request from %s",
|
||||||
util_address_to_string(hdr->address_2));
|
util_address_to_string(hdr->address_2));
|
||||||
@ -1939,9 +1937,13 @@ static void ap_probe_req_cb(const struct mmpdu_header *hdr, const void *body,
|
|||||||
if (!match)
|
if (!match)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
resp_len = 512 + ap_get_extra_ies_len(ap,
|
||||||
|
MPDU_MANAGEMENT_SUBTYPE_PROBE_RESPONSE,
|
||||||
|
hdr, body + body_len - (void *) hdr);
|
||||||
|
resp = l_new(uint8_t, resp_len);
|
||||||
len = ap_build_beacon_pr_head(ap,
|
len = ap_build_beacon_pr_head(ap,
|
||||||
MPDU_MANAGEMENT_SUBTYPE_PROBE_RESPONSE,
|
MPDU_MANAGEMENT_SUBTYPE_PROBE_RESPONSE,
|
||||||
hdr->address_2, resp, sizeof(resp));
|
hdr->address_2, resp, resp_len);
|
||||||
len += ap_build_beacon_pr_tail(ap,
|
len += ap_build_beacon_pr_tail(ap,
|
||||||
MPDU_MANAGEMENT_SUBTYPE_PROBE_RESPONSE,
|
MPDU_MANAGEMENT_SUBTYPE_PROBE_RESPONSE,
|
||||||
hdr, body + body_len - (void *) hdr,
|
hdr, body + body_len - (void *) hdr,
|
||||||
@ -1949,6 +1951,7 @@ static void ap_probe_req_cb(const struct mmpdu_header *hdr, const void *body,
|
|||||||
|
|
||||||
ap_send_mgmt_frame(ap, (struct mmpdu_header *) resp, len,
|
ap_send_mgmt_frame(ap, (struct mmpdu_header *) resp, len,
|
||||||
ap_probe_resp_cb, NULL);
|
ap_probe_resp_cb, NULL);
|
||||||
|
l_free(resp);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* 802.11-2016 9.3.3.5 (frame format), 802.11-2016 11.3.5.9 (MLME/SME) */
|
/* 802.11-2016 9.3.3.5 (frame format), 802.11-2016 11.3.5.9 (MLME/SME) */
|
||||||
|
Loading…
Reference in New Issue
Block a user