From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Tue, 3 Jan 2017 13:12:34 +0000 (+0200)
Subject: Fix LCI request subelement processing
X-Git-Tag: hostap_2_7~1863
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6a31440b86b182452fc87bcdb2a81f95242fb0c6;p=thirdparty%2Fhostap.git

Fix LCI request subelement processing

Commit 4a742011abca8a9c185cc40d17783cfa4c9af757 ('wpa_supplicant: Handle
LCI request') introduced LCI request parsing in a manner that
incremented the request pointer by four within
wpas_rrm_build_lci_report() without decrementing len correspondingly.
This could potentially result in get_ie() reading four octets beyond the
buffer if a corrupted request is received. This would be applicable only
if the LCI reporting was enabled explicitly ("SET LCI ..." control
interface command).

Fix this by updating the len variable to match the request pointer
changes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 214b9b346..bbb763e87 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -6565,6 +6565,7 @@ static struct wpabuf * wpas_rrm_build_lci_report(struct wpa_supplicant *wpa_s,
 	request++;
 	type = *request++;
 	subject = *request++;
+	len -= 4;
 
 	wpa_printf(MSG_DEBUG,
 		   "Measurement request token %u type %u location subject %u",