3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-21 03:32:42 +01:00

mpdu: Validate association request mpdu subtype

We do not currently validate the IEs that are following until the end
of the frame.
This commit is contained in:
Tomasz Bursztyka 2015-01-21 13:36:41 +02:00 committed by Denis Kenzior
parent d1c29daa24
commit 5c9f1db01f
2 changed files with 64 additions and 4 deletions

View File

@ -48,6 +48,13 @@ static bool validate_mgmt_header(const struct mpdu *mpdu, int len, int *offset)
return true; return true;
} }
static bool validate_on_ies_start_position_mgmt_mpdu(const struct mpdu *mpdu,
int len, int *offset,
int position)
{
return *offset + position < len;
}
static bool validate_atim_mgmt_mpdu(const struct mpdu *mpdu, static bool validate_atim_mgmt_mpdu(const struct mpdu *mpdu,
int len, int *offset) int len, int *offset)
{ {
@ -108,6 +115,9 @@ static bool validate_mgmt_mpdu(const struct mpdu *mpdu, int len, int *offset)
return false; return false;
switch (mpdu->fc.subtype) { switch (mpdu->fc.subtype) {
case MPDU_MANAGEMENT_SUBTYPE_ASSOCIATION_REQUEST:
return validate_on_ies_start_position_mgmt_mpdu(mpdu, len,
offset, 9);
case MPDU_MANAGEMENT_SUBTYPE_ATIM: case MPDU_MANAGEMENT_SUBTYPE_ATIM:
return validate_atim_mgmt_mpdu(mpdu, len, offset); return validate_atim_mgmt_mpdu(mpdu, len, offset);
case MPDU_MANAGEMENT_SUBTYPE_DISASSOCIATION: case MPDU_MANAGEMENT_SUBTYPE_DISASSOCIATION:

View File

@ -32,6 +32,7 @@ enum mpdu_type {
/* 802.11, Table 8-1 "Valid type and subtype combinations" */ /* 802.11, Table 8-1 "Valid type and subtype combinations" */
enum mpdu_management_subtype { enum mpdu_management_subtype {
MPDU_MANAGEMENT_SUBTYPE_ASSOCIATION_REQUEST = 0x0,
MPDU_MANAGEMENT_SUBTYPE_ATIM = 0x9, MPDU_MANAGEMENT_SUBTYPE_ATIM = 0x9,
MPDU_MANAGEMENT_SUBTYPE_DISASSOCIATION = 0xA, MPDU_MANAGEMENT_SUBTYPE_DISASSOCIATION = 0xA,
MPDU_MANAGEMENT_SUBTYPE_AUTHENTICATION = 0xB, MPDU_MANAGEMENT_SUBTYPE_AUTHENTICATION = 0xB,
@ -97,6 +98,54 @@ struct mpdu_mgmt_header {
#define MPDU_MGMT_SEQUENCE_NUMBER(v) \ #define MPDU_MGMT_SEQUENCE_NUMBER(v) \
(((v).sequence_number_high << 4) + ((v).sequence_number_low)) (((v).sequence_number_high << 4) + ((v).sequence_number_low))
/* 802.11, Section 8.4.1.4 */
struct mpdu_field_capability {
#if defined(__LITTLE_ENDIAN_BITFIELD)
bool ess:1;
bool ibss:1;
bool cf_pollable:1;
bool cf_poll_req:1;
bool privacy:1;
bool preamble:1;
bool pbcc:1;
bool chanl_agility:1;
bool spectrum_mgmt:1;
bool qos:1;
bool short_time:1;
bool apsd:1;
bool radio_mesure:1;
bool dsss_ofdm:1;
bool delayed_ack:1;
bool immediate_ack:1;
#elif defined (__BIG_ENDIAN_BITFIELD)
bool chanl_agility:1;
bool pbcc:1;
bool preamble:1;
bool privacy:1;
bool cf_poll_req:1;
bool cf_pollable:1;
bool ibss:1;
bool ess:1;
bool immediate_ack:1;
bool delayed_ack:1;
bool dsss_ofdm:1;
bool radio_mesure:1;
bool apsd:1;
bool short_time:1;
bool qos:1;
bool spectrum_mgmt:1;
#else
#error "Please fix <asm/byteorder.h>"
#endif
} __attribute__ ((packed));
/* 802.11, Section 8.3.3.5 */
struct mpdu_association_request {
struct mpdu_field_capability capability;
__le16 listen_interval;
uint8_t ies[0];
} __attribute__ ((packed));
/* 802.11, Section 8.3.3.4 */ /* 802.11, Section 8.3.3.4 */
struct mpdu_disassociation { struct mpdu_disassociation {
__le16 reason_code; __le16 reason_code;
@ -129,6 +178,7 @@ struct mpdu {
struct mpdu_fc fc; struct mpdu_fc fc;
struct mpdu_mgmt_header mgmt_hdr; struct mpdu_mgmt_header mgmt_hdr;
union { union {
struct mpdu_association_request assoc_req;
struct mpdu_disassociation disassoc; struct mpdu_disassociation disassoc;
struct mpdu_authentication auth; struct mpdu_authentication auth;
struct mpdu_deauthentication deauth; struct mpdu_deauthentication deauth;