The parsed 'length' field points beyond the end of the frame, for some
malformed packets. I haven't figured the source of said packets (I'm
using kernel 4.14.177, FWIW), but we can at least be safer about our
handling of them here.
Signed-off-by: Brian Norris <briannorris@xxxxxxxxxxxx>
---
tests/hwsim/test_sae.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tests/hwsim/test_sae.py b/tests/hwsim/test_sae.py
index ed6ae89dc1b1..3722cd42719e 100644
--- a/tests/hwsim/test_sae.py
+++ b/tests/hwsim/test_sae.py
@@ -1788,8 +1788,10 @@ def build_sae_commit(bssid, addr, group=21, token=None):
def sae_rx_commit_token_req(sock, radiotap, send_two=False):
msg = sock.recv(1500)
- ver, pad, len, present = struct.unpack('<BBHL', msg[0:8])
- frame = msg[len:]
+ ver, pad, length, present = struct.unpack('<BBHL', msg[0:8])
+ frame = msg[length:]
+ if len(frame) < 4:
+ return False
fc, duration = struct.unpack('<HH', frame[0:4])
if fc != 0xb0:
return False
--
2.27.0.278.ge193c7cf3a9-goog
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
