From: Avraham Stern <avraham.stern@xxxxxxxxx>
RRM request frame should contain only information elements of type
Radio Measurement Request.
Go through all the frame and validate that only elements of this
type are included.
In addition, if a truncated element is encountered, or the element
length field indicates that the element length is more than the
entire frame, abort the request.
Signed-off-by: Avraham Stern <avraham.stern@xxxxxxxxx>
---
wpa_supplicant/rrm.c | 48 +++++++++++++++++++++++++++++++++++-------------
1 file changed, 35 insertions(+), 13 deletions(-)
diff --git a/wpa_supplicant/rrm.c b/wpa_supplicant/rrm.c
index c2bde04..c63174d 100644
--- a/wpa_supplicant/rrm.c
+++ b/wpa_supplicant/rrm.c
@@ -343,7 +343,7 @@ void wpas_rrm_handle_radio_measurement_request(struct wpa_supplicant *wpa_s,
{
struct wpabuf *buf, *report;
u8 token;
- const u8 *ie, *end;
+ const u8 *end;
if (wpa_s->wpa_state != WPA_COMPLETED) {
wpa_printf(MSG_INFO,
@@ -371,26 +371,45 @@ void wpas_rrm_handle_radio_measurement_request(struct wpa_supplicant *wpa_s,
frame += 2;
report = NULL;
- while ((ie = get_ie(frame, end - frame, WLAN_EID_MEASURE_REQUEST)) &&
- ie[1] >= 3) {
- u8 msmt_type;
+ while (end - frame) {
+ struct rrm_measurement_request_element *req = (void *)frame;
- msmt_type = ie[4];
- wpa_printf(MSG_DEBUG, "RRM request %d", msmt_type);
+ if (end - frame < 2) {
+ wpa_printf(MSG_DEBUG, "RRM: Truncated element");
+ goto out;
+ }
+
+ if (req->eid != WLAN_EID_MEASURE_REQUEST) {
+ wpa_printf(MSG_DEBUG,
+ "RRM: Expected Measurement Request element, but EID is %hhu",
+ req->eid);
+ goto out;
+ }
- switch (msmt_type) {
+ if (req->len < 3) {
+ wpa_printf(MSG_DEBUG, "RRM: Element length too short");
+ goto out;
+ }
+
+ if (req->len + 2 > end - frame) {
+ wpa_printf(MSG_DEBUG, "RRM: Element length too long");
+ goto out;
+ }
+
+ wpa_printf(MSG_DEBUG, "RRM request type: %hhu", req->type);
+
+ switch (req->type) {
case MEASURE_TYPE_LCI:
- report = wpas_rrm_build_lci_report(wpa_s, ie + 2, ie[1],
- report);
+ report = wpas_rrm_build_lci_report(wpa_s, frame + 2,
+ req->len, report);
break;
default:
wpa_printf(MSG_INFO,
- "RRM: Unsupported radio measurement request %d",
- msmt_type);
- break;
+ "RRM: unsupported radio measurement request %hhu",
+ req->type);
}
- frame = ie + ie[1] + 2;
+ frame = frame + req->len + 2;
}
if (!report)
@@ -416,6 +435,9 @@ void wpas_rrm_handle_radio_measurement_request(struct wpa_supplicant *wpa_s,
"RRM: Radio measurement report failed: Sending Action frame failed");
}
wpabuf_free(buf);
+
+out:
+ wpabuf_free(report);
}
--
1.9.1
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
