Avoid undefined behavior in RSNXE capability bit checker

Integer promotion converts u8 rsnxe[i] to an int which is not
sufficiently large to be able to handle the maximum shift left of 24
bits here. Type cast rsnxe[i] to u32 explicitly to get rid of the sign
bit and avoid this undefined behavior from the shift operation.

Credit to OSS-Fuzz: https://issues.oss-fuzz.com/issues/376786400
Fixes: d675d3b15b40 ("Add helper functions for parsing RSNXE capabilities")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 4a35479fc7b5d111528dbad9295dc3034a477fbc..22348b8c270feb0dc9db4535bab387f886ed30ad 100644 (file)
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -3141,7 +3141,7 @@ bool ieee802_11_rsnx_capab_len(const u8 *rsnxe, size_t rsnxe_len,
        if (flen > 4)
                flen = 4;
        for (i = 0; i < flen; i++)
-               capabs |= rsnxe[i] << (8 * i);
+               capabs |= (u32) rsnxe[i] << (8 * i);
 
        return !!(capabs & BIT(capab));
 }