Search Linux Wireless

[PATCH] add length checks for WPA/RSN cipher and authentication suites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



---
 scan.c |   22 +++++++++++++++++++++-
 1 files changed, 21 insertions(+), 1 deletions(-)

diff --git a/scan.c b/scan.c
index 720c48d..9698f9f 100644
--- a/scan.c
+++ b/scan.c
@@ -317,9 +317,12 @@ static void print_rsn_ie(const char *defcipher, const char *defauth,
 	}
 
 	count = data[0] | (data[1] << 8);
+	if (2 + (count * 4) > len)
+		goto invalid;
+
 	tab_on_first(&first);
 	printf("\t * Pairwise ciphers:");
-	for (i=0; i<count; i++) {
+	for (i = 0; i < count; i++) {
 		printf(" ");
 		print_cipher(data + 2 + (i * 4));
 	}
@@ -335,6 +338,9 @@ static void print_rsn_ie(const char *defcipher, const char *defauth,
 	}
 
 	count = data[0] | (data[1] << 8);
+	if (2 + (count * 4) > len)
+		goto invalid;
+
 	tab_on_first(&first);
 	printf("\t * Authentication suites:");
 	for (i = 0; i < count; i++) {
@@ -352,6 +358,20 @@ static void print_rsn_ie(const char *defcipher, const char *defauth,
 	capa = data[0] | (data[1] << 8);
 	tab_on_first(&first);
 	printf("\t * Capabilities: 0x%.4x\n", capa);
+
+	data += 2;
+	len -= 2;
+
+invalid:
+	if (len != 0) {
+		printf("\t\t * bogus tail data (%d):", len);
+		while (len) {
+			printf(" %.2x", *data);
+			data++;
+			len--;
+		}
+		printf("\n");
+	}
 }
 
 static void print_rsn(const uint8_t type, uint8_t len, const uint8_t *data)
-- 
1.6.0.6

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux