Fix QoS Map Configure frame use

The QoS Map Set element was passed in full to the driver instead of just
the payload of the element. This resulted in the updated QoS Map being
rejected. Validate the element id/len and send only the payload to the
driver.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 44e6be3..b70e1fb 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3028,12 +3028,15 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
                if (data->rx_action.category == WLAN_ACTION_QOS &&
                    data->rx_action.len >= 1 &&
                    data->rx_action.data[0] == QOS_QOS_MAP_CONFIG) {
+                       const u8 *pos = data->rx_action.data + 1;
+                       size_t len = data->rx_action.len - 1;
                        wpa_dbg(wpa_s, MSG_DEBUG, "Interworking: Received QoS Map Configure frame from "
                                MACSTR, MAC2STR(data->rx_action.sa));
-                       if (os_memcmp(data->rx_action.sa, wpa_s->bssid, ETH_ALEN)
-                           == 0)
-                               wpas_qos_map_set(wpa_s, data->rx_action.data + 1,
-                                                data->rx_action.len - 1);
+                       if (os_memcmp(data->rx_action.sa, wpa_s->bssid,
+                                     ETH_ALEN) == 0 &&
+                           len > 2 && pos[0] == WLAN_EID_QOS_MAP_SET &&
+                           pos[1] <= len - 2 && pos[1] >= 16)
+                               wpas_qos_map_set(wpa_s, pos + 2, pos[1]);
                        break;
                }
 #endif /* CONFIG_INTERWORKING */