AP MLD: More careful checking of Multi-Link element length fields

Avoid potential read of one or two octets beyond the end of the
subelement when verifying that there is sufficient amount of data
included in each subelement/element within the MLE in Association
Request frames.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 06f82ce303ce4a76b1ede43e06936e35ff2b74ea..1f71a1df0e0d869dba07c164dbcecb68408d1048 100644 (file)
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -1004,7 +1004,7 @@ ParseRes ieee802_11_parse_link_assoc_req(const u8 *start, size_t len,
                        continue;
                }
 
-               if (sub_elem_len < 3) {
+               if (sub_elem_len < 5) {
                        if (show_errors)
                                wpa_printf(MSG_DEBUG,
                                           "MLD: error: sub_elem_len=%zu < 5",
@@ -1073,7 +1073,8 @@ ParseRes ieee802_11_parse_link_assoc_req(const u8 *start, size_t len,
                        non_inherit_len -= 1 + non_inherit[0];
                        non_inherit += 1 + non_inherit[0];
 
-                       if (non_inherit_len < 1UL + non_inherit[0]) {
+                       if (non_inherit_len < 1UL ||
+                           non_inherit_len < 1UL + non_inherit[0]) {
                                if (show_errors)
                                        wpa_printf(MSG_DEBUG,
                                                   "MLD: Invalid inheritance");