Move SA Query frame length check to the shared handler function

Check the length in the common handler functions instead of both
callers.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 1c47309f1c63439bb74ee3dc73c295426271b785..9275e590725ffb9b0e16556dbbf87e4cd85d8b61 100644 (file)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -1110,8 +1110,9 @@ static void hostapd_action_rx(struct hostapd_data *hapd,
        }
 #endif /* CONFIG_IEEE80211R_AP */
 #ifdef CONFIG_IEEE80211W
-       if (mgmt->u.action.category == WLAN_ACTION_SA_QUERY && plen >= 4) {
+       if (mgmt->u.action.category == WLAN_ACTION_SA_QUERY) {
                ieee802_11_sa_query_action(hapd, mgmt, drv_mgmt->frame_len);
+               return;
        }
 #endif /* CONFIG_IEEE80211W */
 #ifdef CONFIG_WNM_AP

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 589d82e9061f9b57d24a6cb9f953dc6d202e10f1..2e01530b20fccc256257957502c9b80e82ad1f7b 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4102,26 +4102,6 @@ static void handle_beacon(struct hostapd_data *hapd,
 
 
 #ifdef CONFIG_IEEE80211W
-
-static int hostapd_sa_query_action(struct hostapd_data *hapd,
-                                  const struct ieee80211_mgmt *mgmt,
-                                  size_t len)
-{
-       const u8 *end;
-
-       end = mgmt->u.action.u.sa_query_resp.trans_id +
-               WLAN_SA_QUERY_TR_ID_LEN;
-       if (((u8 *) mgmt) + len < end) {
-               wpa_printf(MSG_DEBUG, "IEEE 802.11: Too short SA Query Action "
-                          "frame (len=%lu)", (unsigned long) len);
-               return 0;
-       }
-
-       ieee802_11_sa_query_action(hapd, mgmt, len);
-       return 1;
-}
-
-
 static int robust_action_frame(u8 category)
 {
        return category != WLAN_ACTION_PUBLIC &&
@@ -4207,7 +4187,8 @@ static int handle_action(struct hostapd_data *hapd,
                return 1;
 #ifdef CONFIG_IEEE80211W
        case WLAN_ACTION_SA_QUERY:
-               return hostapd_sa_query_action(hapd, mgmt, len);
+               ieee802_11_sa_query_action(hapd, mgmt, len);
+               return 1;
 #endif /* CONFIG_IEEE80211W */
 #ifdef CONFIG_WNM_AP
        case WLAN_ACTION_WNM:

diff --git a/src/ap/ieee802_11_shared.c b/src/ap/ieee802_11_shared.c
index d70d6c1b5f6f62f8d69a8707cbb048b55d0add38..707381ffe7099cdb3e03a2f265812bcfd8d03d01 100644 (file)
--- a/src/ap/ieee802_11_shared.c
+++ b/src/ap/ieee802_11_shared.c
@@ -213,6 +213,14 @@ void ieee802_11_sa_query_action(struct hostapd_data *hapd,
        const u8 action_type = mgmt->u.action.u.sa_query_resp.action;
        const u8 *trans_id = mgmt->u.action.u.sa_query_resp.trans_id;
 
+       if (((const u8 *) mgmt) + len <
+           mgmt->u.action.u.sa_query_resp.variable) {
+               wpa_printf(MSG_DEBUG,
+                          "IEEE 802.11: Too short SA Query Action frame (len=%lu)",
+                          (unsigned long) len);
+               return;
+       }
+
        sta = ap_get_sta(hapd, sa);
 
 #ifdef CONFIG_OCV