projects / libeap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fa2ec7e)
Validate WEXT event iwe->u.data.length before using the event data
authorJouni Malinen <jouni.malinen@atheros.com>
Sat, 27 Sep 2008 07:49:56 +0000 (10:49 +0300)
committerJouni Malinen <j@w1.fi>
Sat, 27 Sep 2008 07:49:56 +0000 (10:49 +0300)
This is needed to avoid crashing wpa_supplicant with invalid event messages
that may be received when using 64-bit kernel with 32-bit userspace.

src/drivers/driver_wext.c patch | blob | history

diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c
index a3c4733..6b7f1a7 100644 (file)
--- a/src/drivers/driver_wext.c
+++ b/src/drivers/driver_wext.c
@@ -652,12 +652,20 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv,
                        }
                        break;
                case IWEVMICHAELMICFAILURE:
+                       if (custom + iwe->u.data.length > end) {
+                               wpa_printf(MSG_DEBUG, "WEXT: Invalid "
+                                          "IWEVMICHAELMICFAILURE length");
+                               return;
+                       }
                        wpa_driver_wext_event_wireless_michaelmicfailure(
                                ctx, custom, iwe->u.data.length);
                        break;
                case IWEVCUSTOM:
-                       if (custom + iwe->u.data.length > end)
+                       if (custom + iwe->u.data.length > end) {
+                               wpa_printf(MSG_DEBUG, "WEXT: Invalid "
+                                          "IWEVCUSTOM length");
                                return;
+                       }
                        buf = os_malloc(iwe->u.data.length + 1);
                        if (buf == NULL)
                                return;
@@ -673,14 +681,29 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv,
                        wpa_supplicant_event(ctx, EVENT_SCAN_RESULTS, NULL);
                        break;
                case IWEVASSOCREQIE:
+                       if (custom + iwe->u.data.length > end) {
+                               wpa_printf(MSG_DEBUG, "WEXT: Invalid "
+                                          "IWEVASSOCREQIE length");
+                               return;
+                       }
                        wpa_driver_wext_event_wireless_assocreqie(
                                drv, custom, iwe->u.data.length);
                        break;
                case IWEVASSOCRESPIE:
+                       if (custom + iwe->u.data.length > end) {
+                               wpa_printf(MSG_DEBUG, "WEXT: Invalid "
+                                          "IWEVASSOCRESPIE length");
+                               return;
+                       }
                        wpa_driver_wext_event_wireless_assocrespie(
                                drv, custom, iwe->u.data.length);
                        break;
                case IWEVPMKIDCAND:
+                       if (custom + iwe->u.data.length > end) {
+                               wpa_printf(MSG_DEBUG, "WEXT: Invalid "
+                                          "IWEVPMKIDCAND length");
+                               return;
+                       }
                        wpa_driver_wext_event_wireless_pmkidcand(
                                drv, custom, iwe->u.data.length);
                        break;
EAP library