P2P: Add a maximum length limit for peer vendor IEs

This is mainly to help with fuzz testing that could generate overly long
test data that would not be possible in real use cases due to MMPDU size
limits. The implementation for storing vendor IEs with such
unrealisticly long IE buffers can result in huge number of memory
reallozations and analyzing those can be very heavy.

While the maximum length of the fuzzing test input could be limited, it
seems nicer to limit this IE storage limit instead to avoid timeouts
from fuzz test runs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 5cbfc217fc1f7a724bac6955f73db6a8def87174..9524aef5ae125d038ffc9417c1ea0b4ebca6e592 100644 (file)
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -665,6 +665,8 @@ static void p2p_update_peer_vendor_elems(struct p2p_device *dev, const u8 *ies,
                if (wpabuf_resize(&dev->info.vendor_elems, 2 + len) < 0)
                        break;
                wpabuf_put_data(dev->info.vendor_elems, pos - 2, 2 + len);
+               if (wpabuf_size(dev->info.vendor_elems) > 2000)
+                       break;
        }
 }