Signed-off-by: Markus Theil <markus.theil@xxxxxxxxxxxxx>
---
scan.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/scan.c b/scan.c
index a5beb0e..dbfe44c 100644
--- a/scan.c
+++ b/scan.c
@@ -1829,6 +1829,11 @@ static void print_wifi_wps(const uint8_t type, uint8_t len, const uint8_t *data,
switch (subtype) {
case 0x104a:
tab_on_first(&first);
+ if (sublen < 1) {
+ printf("\t * Version: (invalid "
+ "length %d)\n", sublen);
+ break;
+ }
printf("\t * Version: %d.%d\n", data[4] >> 4, data[4] & 0xF);
break;
case 0x1011:
@@ -1861,6 +1866,11 @@ static void print_wifi_wps(const uint8_t type, uint8_t len, const uint8_t *data,
printf("\t * Model Number: %.*s\n", sublen, data + 4);
break;
case 0x103b: {
+ if (sublen < 1) {
+ printf("\t * Response Type: (invalid "
+ "length %d)\n", sublen);
+ break;
+ }
__u8 val = data[4];
tab_on_first(&first);
printf("\t * Response Type: %d%s\n",
@@ -1874,6 +1884,11 @@ static void print_wifi_wps(const uint8_t type, uint8_t len, const uint8_t *data,
break;
}
case 0x1041: {
+ if (sublen < 1) {
+ printf("\t * Selected Registrar: (invalid "
+ "length %d)\n", sublen);
+ break;
+ }
__u8 val = data[4];
tab_on_first(&first);
printf("\t * Selected Registrar: 0x%x\n", val);
@@ -1884,6 +1899,11 @@ static void print_wifi_wps(const uint8_t type, uint8_t len, const uint8_t *data,
printf("\t * Serial Number: %.*s\n", sublen, data + 4);
break;
case 0x1044: {
+ if (sublen < 1) {
+ printf("\t * Wi-Fi Protected Setup State: (invalid "
+ "length %d)\n", sublen);
+ break;
+ }
__u8 val = data[4];
tab_on_first(&first);
printf("\t * Wi-Fi Protected Setup State: %d%s%s\n",
@@ -1928,6 +1948,11 @@ static void print_wifi_wps(const uint8_t type, uint8_t len, const uint8_t *data,
}
case 0x1008:
case 0x1053: {
+ if (sublen < 2) {
+ printf("\t * Config methods: (invalid "
+ "length %d)\n", sublen);
+ break;
+ }
__u16 meth = (data[4] << 8) + data[5];
bool comma = false;
tab_on_first(&first);
--
2.25.0
