Check Public Action length explicitly before reading Action Code

In theory, the previous version could have resulted in reading one byte
beyond the end of the management frame RX buffer if the local driver
were to deliver a truncated Public Action frame for processing. In
practice, this did not seem to happen with mac80211-based drivers and
even if it were, the extra octet would be an uninitialized value in a
buffer rather than read beyond the end of the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 9e7d70d..8d2a066 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2098,7 +2098,8 @@ static int handle_action(struct hostapd_data *hapd,
        case WLAN_ACTION_PUBLIC:
        case WLAN_ACTION_PROTECTED_DUAL:
 #ifdef CONFIG_IEEE80211N
-               if (mgmt->u.action.u.public_action.action ==
+               if (len >= IEEE80211_HDRLEN + 2 &&
+                   mgmt->u.action.u.public_action.action ==
                    WLAN_PA_20_40_BSS_COEX) {
                        wpa_printf(MSG_DEBUG,
                                   "HT20/40 coex mgmt frame received from STA "