Check HE and EHT element minimum lengths in the parser

Ignore invalid elements that do not contain enough payload early in the
process.

Signed-off-by: sunilravi <sunilravi@google.com>
Signed-off-by: Henry Yen <henryyen@google.com>

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index a0b51c014f85067f7f1495b132c073fb8f88d2ee..b77a6b16a384505e3a49229f2363a1453ed1287c 100644 (file)
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -378,10 +378,14 @@ static int ieee802_11_parse_extension(const u8 *pos, size_t elen,
                elems->password_id_len = elen;
                break;
        case WLAN_EID_EXT_HE_CAPABILITIES:
+               if (elen < HE_CAPABILITIES_ELEM_MIN_LEN)
+                       break;
                elems->he_capabilities = pos;
                elems->he_capabilities_len = elen;
                break;
        case WLAN_EID_EXT_HE_OPERATION:
+               if (elen < HE_OPERATION_ELEM_MIN_LEN)
+                       break;
                elems->he_operation = pos;
                elems->he_operation_len = elen;
                break;
@@ -403,10 +407,14 @@ static int ieee802_11_parse_extension(const u8 *pos, size_t elen,
                elems->pasn_params_len = elen;
                break;
        case WLAN_EID_EXT_EHT_CAPABILITIES:
+               if (elen < EHT_CAPABILITIES_ELEM_MIN_LEN)
+                       break;
                elems->eht_capabilities = pos;
                elems->eht_capabilities_len = elen;
                break;
        case WLAN_EID_EXT_EHT_OPERATION:
+               if (elen < EHT_OPERATION_ELEM_MIN_LEN)
+                       break;
                elems->eht_operation = pos;
                elems->eht_operation_len = elen;
                break;

diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h
index 28032bbc8220e9eafbe8370620e9feecc0dc0aeb..46373b3c23d7556d9710ab8d1e4a129d343ea56f 100644 (file)
--- a/src/common/ieee802_11_defs.h
+++ b/src/common/ieee802_11_defs.h
@@ -2535,6 +2535,8 @@ struct ieee80211_spatial_reuse {
        u8 params[19];
 } STRUCT_PACKED;
 
+#define HE_CAPABILITIES_ELEM_MIN_LEN           21
+
 /* HE Capabilities Information defines */
 
 #define HE_MACCAP_TWT_RESPONDER                        ((u8) BIT(2))
@@ -2586,6 +2588,9 @@ struct ieee80211_spatial_reuse {
 #define HE_OPERATION_BSS_COLOR_OFFSET          24
 #define HE_OPERATION_BSS_COLOR_MAX             64
 
+/* HE operation fields length */
+#define HE_OPERATION_ELEM_MIN_LEN                              6
+
 /**
  * enum he_reg_info_6ghz_ap_type - Allowed Access Point types for 6 GHz Band
  *
@@ -2690,6 +2695,7 @@ struct ieee80211_he_mu_edca_parameter_set {
 #define RNR_TBTT_INFO_MLD_PARAM2_LINK_DISABLED  0x20
 
 /* IEEE P802.11be/D2.3, 9.4.2.311 - EHT Operation element */
+#define EHT_OPERATION_ELEM_MIN_LEN                       1
 
 /* Figure 9-1002b: EHT Operation Parameters field subfields */
 #define EHT_OPER_INFO_PRESENT                          BIT(0)
@@ -2724,6 +2730,7 @@ struct ieee80211_eht_operation {
 #define IEEE80211_EHT_OP_MIN_LEN (1 + 4)
 
 /* IEEE P802.11be/D1.5, 9.4.2.313 - EHT Capabilities element */
+#define EHT_CAPABILITIES_ELEM_MIN_LEN             11
 
 /* Figure 9-1002af: EHT MAC Capabilities Information field */
 #define EHT_MACCAP_EPCS_PRIO                   BIT(0)