Kernel
/
iwd
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git
3
0
Fork 0
Code Releases Activity

hotspot: add length check for roaming consortium 

The hotspot spec specifically mentions the roaming consortium OI be
3 or 5 bytes long. This requirement also prevents potential buffer
overflows if the user were to configure a long roaming consortium OI.
This commit is contained in:
James Prestwood 2019-07-16 09:02:11 -07:00 committed by Denis Kenzior
parent 0f6d1ece78
commit a1699b1587
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/hotspot.c
View File

@ -91,8 +91,21 @@ static struct hs20_config *hs20_config_new(struct l_settings *settings,
config->nai_realms = nai_realms;
rc_str = l_settings_get_value(settings, "Hotspot", "RoamingConsortium");
if (rc_str)
if (rc_str) {
config->rc = l_util_from_hexstring(rc_str, &config->rc_len);
/*
* WiFi Alliance Hotspot 2.0 Spec - Section 3.1.4
*
* "The Consortium OI field is 3 or 5-octet field set to a value
* of a roaming consortium OI"
*/
if (config->rc && config->rc_len != 3 && config->rc_len != 5) {
l_warn("invalid RoamingConsortium length %zu",
config->rc_len);
l_free(config->rc);
config->rc = NULL;
}
}
if (util_mem_is_zero(config->hessid, 6) && !nai_realms && !config->rc) {
l_free(config);