GAS: Limit maximum comeback delay value

Limit the GAS comeback delay to 60000 TUs, i.e., about 60 seconds. This
is mostly to silence static analyzers that complain about unbounded
value from external sources even though this is clearly bounded by being
a 16-bit value.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/gas_query_ap.c b/src/ap/gas_query_ap.c
index fdb3cad55adeef20a1d62cb6e698ec20e683fbfe..3d944072daafe542e23fe8c9be839e8244b35c16 100644 (file)
--- a/src/ap/gas_query_ap.c
+++ b/src/ap/gas_query_ap.c
@@ -29,6 +29,8 @@
 #define GAS_QUERY_WAIT_TIME_INITIAL 1000
 #define GAS_QUERY_WAIT_TIME_COMEBACK 150
 
+#define GAS_QUERY_MAX_COMEBACK_DELAY 60000
+
 /**
  * struct gas_query_pending - Pending GAS query
  */
@@ -545,6 +547,8 @@ int gas_query_ap_rx(struct gas_query_ap *gas, const u8 *sa, u8 categ,
        if (pos + 2 > data + len)
                return 0;
        comeback_delay = WPA_GET_LE16(pos);
+       if (comeback_delay > GAS_QUERY_MAX_COMEBACK_DELAY)
+               comeback_delay = GAS_QUERY_MAX_COMEBACK_DELAY;
        pos += 2;
 
        /* Advertisement Protocol element */

diff --git a/wpa_supplicant/gas_query.c b/wpa_supplicant/gas_query.c
index a6172d69233b1fe33f0939ee09b370c081c3e1b9..802f120caff4008d688e1f663d9b9c13f73f1c3d 100644 (file)
--- a/wpa_supplicant/gas_query.c
+++ b/wpa_supplicant/gas_query.c
@@ -30,6 +30,8 @@
 #define GAS_QUERY_WAIT_TIME_INITIAL 1000
 #define GAS_QUERY_WAIT_TIME_COMEBACK 150
 
+#define GAS_QUERY_MAX_COMEBACK_DELAY 60000
+
 /**
  * struct gas_query_pending - Pending GAS query
  */
@@ -589,6 +591,8 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa,
        if (pos + 2 > data + len)
                return 0;
        comeback_delay = WPA_GET_LE16(pos);
+       if (comeback_delay > GAS_QUERY_MAX_COMEBACK_DELAY)
+               comeback_delay = GAS_QUERY_MAX_COMEBACK_DELAY;
        pos += 2;
 
        /* Advertisement Protocol element */