From 5c9f1db01f0e83fd8d79407c52cb940cb84476bb Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Wed, 21 Jan 2015 13:36:41 +0200 Subject: [PATCH] mpdu: Validate association request mpdu subtype We do not currently validate the IEs that are following until the end of the frame. --- src/mpdu.c | 10 ++++++++++ src/mpdu.h | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 64 insertions(+), 4 deletions(-) diff --git a/src/mpdu.c b/src/mpdu.c index c2e8dc23..19290d83 100644 --- a/src/mpdu.c +++ b/src/mpdu.c @@ -48,6 +48,13 @@ static bool validate_mgmt_header(const struct mpdu *mpdu, int len, int *offset) return true; } +static bool validate_on_ies_start_position_mgmt_mpdu(const struct mpdu *mpdu, + int len, int *offset, + int position) +{ + return *offset + position < len; +} + static bool validate_atim_mgmt_mpdu(const struct mpdu *mpdu, int len, int *offset) { @@ -108,6 +115,9 @@ static bool validate_mgmt_mpdu(const struct mpdu *mpdu, int len, int *offset) return false; switch (mpdu->fc.subtype) { + case MPDU_MANAGEMENT_SUBTYPE_ASSOCIATION_REQUEST: + return validate_on_ies_start_position_mgmt_mpdu(mpdu, len, + offset, 9); case MPDU_MANAGEMENT_SUBTYPE_ATIM: return validate_atim_mgmt_mpdu(mpdu, len, offset); case MPDU_MANAGEMENT_SUBTYPE_DISASSOCIATION: diff --git a/src/mpdu.h b/src/mpdu.h index 202c99fa..2180a3a8 100644 --- a/src/mpdu.h +++ b/src/mpdu.h @@ -32,10 +32,11 @@ enum mpdu_type { /* 802.11, Table 8-1 "Valid type and subtype combinations" */ enum mpdu_management_subtype { - MPDU_MANAGEMENT_SUBTYPE_ATIM = 0x9, - MPDU_MANAGEMENT_SUBTYPE_DISASSOCIATION = 0xA, - MPDU_MANAGEMENT_SUBTYPE_AUTHENTICATION = 0xB, - MPDU_MANAGEMENT_SUBTYPE_DEAUTHENTICATION = 0xC, + MPDU_MANAGEMENT_SUBTYPE_ASSOCIATION_REQUEST = 0x0, + MPDU_MANAGEMENT_SUBTYPE_ATIM = 0x9, + MPDU_MANAGEMENT_SUBTYPE_DISASSOCIATION = 0xA, + MPDU_MANAGEMENT_SUBTYPE_AUTHENTICATION = 0xB, + MPDU_MANAGEMENT_SUBTYPE_DEAUTHENTICATION = 0xC, }; /* 802.11, Section 8.4.1.1 Authentication Algorithm Number field */ @@ -97,6 +98,54 @@ struct mpdu_mgmt_header { #define MPDU_MGMT_SEQUENCE_NUMBER(v) \ (((v).sequence_number_high << 4) + ((v).sequence_number_low)) +/* 802.11, Section 8.4.1.4 */ +struct mpdu_field_capability { +#if defined(__LITTLE_ENDIAN_BITFIELD) + bool ess:1; + bool ibss:1; + bool cf_pollable:1; + bool cf_poll_req:1; + bool privacy:1; + bool preamble:1; + bool pbcc:1; + bool chanl_agility:1; + bool spectrum_mgmt:1; + bool qos:1; + bool short_time:1; + bool apsd:1; + bool radio_mesure:1; + bool dsss_ofdm:1; + bool delayed_ack:1; + bool immediate_ack:1; +#elif defined (__BIG_ENDIAN_BITFIELD) + bool chanl_agility:1; + bool pbcc:1; + bool preamble:1; + bool privacy:1; + bool cf_poll_req:1; + bool cf_pollable:1; + bool ibss:1; + bool ess:1; + bool immediate_ack:1; + bool delayed_ack:1; + bool dsss_ofdm:1; + bool radio_mesure:1; + bool apsd:1; + bool short_time:1; + bool qos:1; + bool spectrum_mgmt:1; +#else +#error "Please fix " +#endif +} __attribute__ ((packed)); + +/* 802.11, Section 8.3.3.5 */ +struct mpdu_association_request { + struct mpdu_field_capability capability; + __le16 listen_interval; + uint8_t ies[0]; +} __attribute__ ((packed)); + /* 802.11, Section 8.3.3.4 */ struct mpdu_disassociation { __le16 reason_code; @@ -129,6 +178,7 @@ struct mpdu { struct mpdu_fc fc; struct mpdu_mgmt_header mgmt_hdr; union { + struct mpdu_association_request assoc_req; struct mpdu_disassociation disassoc; struct mpdu_authentication auth; struct mpdu_deauthentication deauth;