Ignore too long SSID element value in parser

The SSID element is defined to have a valid length range of 0-32. While
this length was supposed to validated by the users of the element
parser, there are not really any valid cases where the maximum length of
32 octet SSID would be exceeded and as such, the parser itself can
enforce the limit as an additional protection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index aca0b73223bb8b3ff2b3c41a0de31f761802d26b..c741e13b0b98c71849f910c6f61b20f1d88e990b 100644 (file)
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -196,6 +196,12 @@ ParseRes ieee802_11_parse_elems(const u8 *start, size_t len,
 
                switch (id) {
                case WLAN_EID_SSID:
+                       if (elen > SSID_MAX_LEN) {
+                               wpa_printf(MSG_DEBUG,
+                                          "Ignored too long SSID element (elen=%u)",
+                                          elen);
+                               break;
+                       }
                        elems->ssid = pos;
                        elems->ssid_len = elen;
                        break;

diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h
index 6e9c43cb2068111c5e0de3de019d79962f942c26..62009f5124f25f5f4641e6811f3001415a6f4406 100644 (file)
--- a/src/common/ieee802_11_defs.h
+++ b/src/common/ieee802_11_defs.h
@@ -1354,4 +1354,6 @@ struct rrm_link_measurement_report {
        u8 variable[0];
 } STRUCT_PACKED;
 
+#define SSID_MAX_LEN 32
+
 #endif /* IEEE802_11_DEFS_H */