wlantest: Fix Beacon and Probe Response frame parser

These functions did not verify that the received frame is long enough to
contain the beginning of the variable length IE area. A truncated frame
could have caused a segmentation fault due to reading beyond the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wlantest/rx_mgmt.c b/wlantest/rx_mgmt.c
index 5f60abec4fb63485ab083be1e4f8f317a08cd927..459b9a69f61a875799b4fbb17be0d62ac4733735 100644 (file)
--- a/wlantest/rx_mgmt.c
+++ b/wlantest/rx_mgmt.c
@@ -53,16 +53,19 @@ static void rx_mgmt_beacon(struct wlantest *wt, const u8 *data, size_t len)
        const struct ieee80211_mgmt *mgmt;
        struct wlantest_bss *bss;
        struct ieee802_11_elems elems;
+       size_t offset;
 
        mgmt = (const struct ieee80211_mgmt *) data;
+       offset = mgmt->u.beacon.variable - data;
+       if (len < offset)
+               return;
        bss = bss_get(wt, mgmt->bssid);
        if (bss == NULL)
                return;
        if (bss->proberesp_seen)
                return; /* do not override with Beacon data */
        bss->capab_info = le_to_host16(mgmt->u.beacon.capab_info);
-       if (ieee802_11_parse_elems(mgmt->u.beacon.variable,
-                                  len - (mgmt->u.beacon.variable - data),
+       if (ieee802_11_parse_elems(mgmt->u.beacon.variable, len - offset,
                                   &elems, 0) == ParseFailed) {
                if (bss->parse_error_reported)
                        return;
@@ -81,16 +84,19 @@ static void rx_mgmt_probe_resp(struct wlantest *wt, const u8 *data, size_t len)
        const struct ieee80211_mgmt *mgmt;
        struct wlantest_bss *bss;
        struct ieee802_11_elems elems;
+       size_t offset;
 
        mgmt = (const struct ieee80211_mgmt *) data;
+       offset = mgmt->u.probe_resp.variable - data;
+       if (len < offset)
+               return;
        bss = bss_get(wt, mgmt->bssid);
        if (bss == NULL)
                return;
 
        bss->counters[WLANTEST_BSS_COUNTER_PROBE_RESPONSE]++;
        bss->capab_info = le_to_host16(mgmt->u.probe_resp.capab_info);
-       if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
-                                  len - (mgmt->u.probe_resp.variable - data),
+       if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - offset,
                                   &elems, 0) == ParseFailed) {
                if (bss->parse_error_reported)
                        return;