TDLS: Validate FTIE length before processing it

This avoids reading past the end of the IE buffer should the FTIE
be too short. In addition, one debug hexdump was using uninitialized
pointer to the FTIE buffer, so fixed it to use the pointer from the
parse data.

diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 9133c9a746a27c9b6a74ed9a7642178a4b2ba0e9..e75186798230bf8c1dcdf5bb24d2ecffe9c79cc2 100644 (file)
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -753,7 +753,7 @@ static int wpa_tdls_recv_teardown(struct wpa_sm *sm, const u8 *src_addr,
        if (!wpa_tdls_get_privacy(sm) || !peer->tpk_set || !peer->tpk_success)
                goto skip_ftie;
 
-       if (kde.ftie == NULL) {
+       if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
                wpa_printf(MSG_INFO, "TDLS: No FTIE in TDLS Teardown");
                return -1;
        }
@@ -1247,7 +1247,8 @@ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
                goto skip_rsn;
        }
 
-       if (kde.ftie == NULL || kde.rsn_ie == NULL) {
+       if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
+           kde.rsn_ie == NULL) {
                wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M1");
                status = WLAN_STATUS_INVALID_PARAMETERS;
                goto error;
@@ -1558,7 +1559,8 @@ static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
                goto skip_rsn;
        }
 
-       if (kde.ftie == NULL || kde.rsn_ie == NULL) {
+       if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie) ||
+           kde.rsn_ie == NULL) {
                wpa_printf(MSG_INFO, "TDLS: No FTIE or RSN IE in TPK M2");
                status = WLAN_STATUS_INVALID_PARAMETERS;
                goto error;
@@ -1727,12 +1729,12 @@ static int wpa_tdls_process_tpk_m3(struct wpa_sm *sm, const u8 *src_addr,
        if (!wpa_tdls_get_privacy(sm))
                goto skip_rsn;
 
-       if (kde.ftie == NULL) {
+       if (kde.ftie == NULL || kde.ftie_len < sizeof(*ftie)) {
                wpa_printf(MSG_INFO, "TDLS: No FTIE in TPK M3");
                return -1;
        }
        wpa_hexdump(MSG_DEBUG, "TDLS: FTIE Received from TPK M3",
-                   (u8 *) ftie, sizeof(*ftie));
+                   kde.ftie, sizeof(*ftie));
        ftie = (struct wpa_tdls_ftie *) kde.ftie;
 
        if (kde.rsn_ie == NULL) {