From 0c881807b5c1305c6003f230181f4b185ce9188c Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Sun, 22 Oct 2017 11:37:56 +0300
Subject: [PATCH] DPP: Verify that Wrapped Data attribute is the last one in
 the message

Do not allow any additional attributes to be included after the Wrapped
Data attribute.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 src/common/dpp.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/common/dpp.c b/src/common/dpp.c
index fa98db2f3..596c81cb3 100644
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -527,6 +527,7 @@ const u8 * dpp_get_attr(const u8 *buf, size_t len, u16 req_id, u16 *ret_len)
 int dpp_check_attrs(const u8 *buf, size_t len)
 {
 	const u8 *pos, *end;
+	int wrapped_data = 0;
 
 	pos = buf;
 	end = buf + len;
@@ -544,6 +545,13 @@ int dpp_check_attrs(const u8 *buf, size_t len)
 				   "DPP: Truncated message - not enough room for the attribute - dropped");
 			return -1;
 		}
+		if (wrapped_data) {
+			wpa_printf(MSG_DEBUG,
+				   "DPP: An unexpected attribute included after the Wrapped Data attribute");
+			return -1;
+		}
+		if (id == DPP_ATTR_WRAPPED_DATA)
+			wrapped_data = 1;
 		pos += alen;
 	}
 
-- 
2.47.3