[PATCH] wpa_supplicant: Check length when building ext_cabality in assoc_cb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Adiel Aloni <adiel.aloni@xxxxxxxxx>

When building wpa_ie in wpas_start_assoc_cb with ext_capab,
make sure that assignment does not exceed max_wpa_ie_len.

Signed-off-by: Adiel Aloni <adiel.aloni@xxxxxxxxx>
---
 wpa_supplicant/wpa_supplicant.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 4932fa8..9daf172 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2567,7 +2567,8 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
 		int ext_capab_len;
 		ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
 						     sizeof(ext_capab));
-		if (ext_capab_len > 0) {
+		if (ext_capab_len > 0 &&
+		    (wpa_ie_len + ext_capab_len) <= max_wpa_ie_len) {
 			u8 *pos = wpa_ie;
 			if (wpa_ie_len > 0 && pos[0] == WLAN_EID_RSN)
 				pos += 2 + pos[1];
-- 
2.7.4


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux