Check whether element parsing has failed

Check the ieee802_11_parse_elems() return code and do not proceed in
various cases if parsing failed. Previously, these cases would have been
allowed to continue by ignoring whatever might have followed in the IE
buffer after the first detected parsing failure. This is not really an
issue in practice, but it feels cleaner to explicitly stop when
receiving an invalid set of IEs.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 4d765dcb101e6fe513fdc25195ce85d66ce5c3dc..3f3f2a6337eced4952531ee9c73c9cc43c2369bb 100644 (file)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -59,9 +59,10 @@ void hostapd_notify_assoc_fils_finish(struct hostapd_data *hapd,
        if (!sta->fils_pending_assoc_req)
                return;
 
-       ieee802_11_parse_elems(sta->fils_pending_assoc_req,
-                              sta->fils_pending_assoc_req_len, &elems, 0);
-       if (!elems.fils_session) {
+       if (ieee802_11_parse_elems(sta->fils_pending_assoc_req,
+                                  sta->fils_pending_assoc_req_len, &elems,
+                                  0) == ParseFailed ||
+           !elems.fils_session) {
                wpa_printf(MSG_DEBUG, "%s failed to find FILS Session element",
                           __func__);
                return;
@@ -176,7 +177,12 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
        hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
                       HOSTAPD_LEVEL_INFO, "associated");
 
-       ieee802_11_parse_elems(req_ies, req_ies_len, &elems, 0);
+       if (ieee802_11_parse_elems(req_ies, req_ies_len, &elems, 0) ==
+           ParseFailed) {
+               wpa_printf(MSG_DEBUG, "%s: Could not parse elements", __func__);
+               return -1;
+       }
+
        if (elems.wps_ie) {
                ie = elems.wps_ie - 2;
                ielen = elems.wps_ie_len + 2;

diff --git a/src/common/hw_features_common.c b/src/common/hw_features_common.c
index 584c6d2750f6428ccd985d39c162d48e3b9ae383..57b5a8e23eb9026a2819f7f62adf9da9f38a6605 100644 (file)
--- a/src/common/hw_features_common.c
+++ b/src/common/hw_features_common.c
@@ -183,8 +183,8 @@ void get_pri_sec_chan(struct wpa_scan_res *bss, int *pri_chan, int *sec_chan)
 
        *pri_chan = *sec_chan = 0;
 
-       ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0);
-       if (elems.ht_operation) {
+       if (ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0) !=
+           ParseFailed && elems.ht_operation) {
                oper = (struct ieee80211_ht_operation *) elems.ht_operation;
                *pri_chan = oper->primary_chan;
                if (oper->ht_param & HT_INFO_HT_PARAM_STA_CHNL_WIDTH) {
@@ -273,7 +273,10 @@ static int check_20mhz_bss(struct wpa_scan_res *bss, int pri_freq, int start,
        if (bss->freq < start || bss->freq > end || bss->freq == pri_freq)
                return 0;
 
-       ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0);
+       if (ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems, 0) ==
+           ParseFailed)
+               return 0;
+
        if (!elems.ht_capabilities) {
                wpa_printf(MSG_DEBUG, "Found overlapping legacy BSS: "
                           MACSTR " freq=%d", MAC2STR(bss->bssid), bss->freq);
@@ -357,9 +360,9 @@ int check_40mhz_2g4(struct hostapd_hw_modes *mode,
                        }
                }
 
-               ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len, &elems,
-                                      0);
-               if (elems.ht_capabilities) {
+               if (ieee802_11_parse_elems((u8 *) (bss + 1), bss->ie_len,
+                                          &elems, 0) != ParseFailed &&
+                   elems.ht_capabilities) {
                        struct ieee80211_ht_capabilities *ht_cap =
                                (struct ieee80211_ht_capabilities *)
                                elems.ht_capabilities;

diff --git a/src/p2p/p2p_parse.c b/src/p2p/p2p_parse.c
index 486d62863c2426e51983fea9be111f37552a4ceb..07d6ca022ff934a3d50fc8982be17834fdae01ec 100644 (file)
--- a/src/p2p/p2p_parse.c
+++ b/src/p2p/p2p_parse.c
@@ -545,7 +545,9 @@ int p2p_parse_ies(const u8 *data, size_t len, struct p2p_message *msg)
 {
        struct ieee802_11_elems elems;
 
-       ieee802_11_parse_elems(data, len, &elems, 0);
+       if (ieee802_11_parse_elems(data, len, &elems, 0) == ParseFailed)
+               return -1;
+
        if (elems.ds_params)
                msg->ds_params = elems.ds_params;
        if (elems.ssid)