Enforce valid range check for SET mbo_cell_capa and oce

These parameters have both a separate SET command handler and a global
configuration parameter handler. Only the global configuration parameter
handler for enforcing valid range checking. Do that for the SET command
as well.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 6c47646920a55aee8890e584939a2aad7b104271..d0fda4cd9eca82505ffe4e83f16e5a7d92caa0a7 100644 (file)
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -902,9 +902,20 @@ static int wpa_supplicant_ctrl_iface_set(struct wpa_supplicant *wpa_s,
                        wpa_config_process_global(wpa_s->conf, cmd, -1);
                }
        } else if (os_strcasecmp(cmd, "mbo_cell_capa") == 0) {
-               wpas_mbo_update_cell_capa(wpa_s, atoi(value));
+               int val = atoi(value);
+
+               if (val < MBO_CELL_CAPA_AVAILABLE ||
+                   val > MBO_CELL_CAPA_NOT_SUPPORTED)
+                       return -1;
+
+               wpas_mbo_update_cell_capa(wpa_s, val);
        } else if (os_strcasecmp(cmd, "oce") == 0) {
-               wpa_s->conf->oce = atoi(value);
+               int val = atoi(value);
+
+               if (val < 0 || val > 3)
+                       return -1;
+
+               wpa_s->conf->oce = val;
                if (wpa_s->conf->oce) {
                        if ((wpa_s->conf->oce & OCE_STA) &&
                            (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OCE_STA))