WPS: Truncate variable length string attributes to maximum length

This enforces variable length strings Manufacturer, Model Name, Model
Number, and Serial Number to be within the maximum length defined in the
WSC specification. While none of the existing users for these within
hostapd/wpa_supplicant had problems with longer strings, it is good to
ensure the strings are not longer to avoid potential issues at higher
layer components.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/p2p/p2p.h b/src/p2p/p2p.h
index 481ecacadbbae9b29a67fd59d2fb35d7c15b52d3..da2446dff2fe9bade5edb048201bfef8c97f1f38 100644 (file)
--- a/src/p2p/p2p.h
+++ b/src/p2p/p2p.h
@@ -274,22 +274,22 @@ struct p2p_peer_info {
        /**
         * manufacturer - Manufacturer (0..64 octets encoded in UTF-8)
         */
-       char manufacturer[65];
+       char manufacturer[WPS_MANUFACTURER_MAX_LEN + 1];
 
        /**
         * model_name - Model Name (0..32 octets encoded in UTF-8)
         */
-       char model_name[33];
+       char model_name[WPS_MODEL_NAME_MAX_LEN + 1];
 
        /**
         * model_number - Model Number (0..32 octets encoded in UTF-8)
         */
-       char model_number[33];
+       char model_number[WPS_MODEL_NUMBER_MAX_LEN + 1];
 
        /**
         * serial_number - Serial Number (0..32 octets encoded in UTF-8)
         */
-       char serial_number[33];
+       char serial_number[WPS_SERIAL_NUMBER_MAX_LEN + 1];
 
        /**
         * level - Signal level

diff --git a/src/wps/wps_attr_parse.c b/src/wps/wps_attr_parse.c
index 2feeb1180619755594493f3adf3697a4a5e9a2b1..a1330ded14649c52029b7ad576f553928ab778b6 100644 (file)
--- a/src/wps/wps_attr_parse.c
+++ b/src/wps/wps_attr_parse.c
@@ -447,19 +447,31 @@ static int wps_set_attr(struct wps_parse_attr *attr, u16 type,
                break;
        case ATTR_MANUFACTURER:
                attr->manufacturer = pos;
-               attr->manufacturer_len = len;
+               if (len > WPS_MANUFACTURER_MAX_LEN)
+                       attr->manufacturer_len = WPS_MANUFACTURER_MAX_LEN;
+               else
+                       attr->manufacturer_len = len;
                break;
        case ATTR_MODEL_NAME:
                attr->model_name = pos;
-               attr->model_name_len = len;
+               if (len > WPS_MODEL_NAME_MAX_LEN)
+                       attr->model_name_len = WPS_MODEL_NAME_MAX_LEN;
+               else
+                       attr->model_name_len = len;
                break;
        case ATTR_MODEL_NUMBER:
                attr->model_number = pos;
-               attr->model_number_len = len;
+               if (len > WPS_MODEL_NUMBER_MAX_LEN)
+                       attr->model_number_len = WPS_MODEL_NUMBER_MAX_LEN;
+               else
+                       attr->model_number_len = len;
                break;
        case ATTR_SERIAL_NUMBER:
                attr->serial_number = pos;
-               attr->serial_number_len = len;
+               if (len > WPS_SERIAL_NUMBER_MAX_LEN)
+                       attr->serial_number_len = WPS_SERIAL_NUMBER_MAX_LEN;
+               else
+                       attr->serial_number_len = len;
                break;
        case ATTR_DEV_NAME:
                if (len > WPS_DEV_NAME_MAX_LEN) {

diff --git a/src/wps/wps_defs.h b/src/wps/wps_defs.h
index 5a09063322e120cd7961c2544f98405c83ca09be..433415596ee3df2fe3ce3a1e56de1db94429dff7 100644 (file)
--- a/src/wps/wps_defs.h
+++ b/src/wps/wps_defs.h
@@ -42,6 +42,10 @@ extern int wps_corrupt_pkhash;
 #define WPS_OOB_DEVICE_PASSWORD_LEN 32
 #define WPS_OOB_PUBKEY_HASH_LEN 20
 #define WPS_DEV_NAME_MAX_LEN 32
+#define WPS_MANUFACTURER_MAX_LEN 64
+#define WPS_MODEL_NAME_MAX_LEN 32
+#define WPS_MODEL_NUMBER_MAX_LEN 32
+#define WPS_SERIAL_NUMBER_MAX_LEN 32
 
 /* Attribute Types */
 enum wps_attribute {