tdls_verify_mic() and tdls_verify_mic_teardown() could have tried to
read the 16-octet FTIE MIC when processing a TDLS frame even if the
received FTIE is truncated. At least in theory, this could result in
reading couple of octets beyond the frame buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
struct rsn_ftie *tmp_ftie;
if (elems->link_id == NULL || elems->rsn_ie == NULL ||
- elems->timeout_int == NULL || elems->ftie == NULL)
+ elems->timeout_int == NULL || elems->ftie == NULL ||
+ elems->ftie_len < sizeof(struct rsn_ftie))
return -1;
len = 2 * ETH_ALEN + 1 + 2 + 18 + 2 + elems->rsn_ie_len +
const struct rsn_ftie *rx_ftie;
struct rsn_ftie *tmp_ftie;
- if (elems->link_id == NULL || elems->ftie == NULL)
+ if (elems->link_id == NULL || elems->ftie == NULL ||
+ elems->ftie_len < sizeof(struct rsn_ftie))
return -1;
len = 2 + 18 + 2 + 1 + 1 + 2 + elems->ftie_len;