The way this was checked previously used pointer arithmetic could result
in undefined behavior due to the pointer ending up pointing more than
one byte beyond the end of the buffer. Avoid this by checking the buffer
length before incrementing the pointer.
Fixes: bcbe80a66a9b ("AP: MLO: Handle Multi-Link element during authentication")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_printf(MSG_DEBUG, "EHT: SAE scalar length is %zu", prime_len);
+ if (len - 2 < prime_len * (ec ? 3 : 2))
+ goto truncated;
/* scalar */
pos += prime_len;
}
if (pos - mgmt->u.auth.variable > (int) len) {
+ truncated:
wpa_printf(MSG_DEBUG,
"EHT: Too short SAE commit Authentication frame");
return NULL;
return pos;
/* send confirm integer */
+ if (len < 2)
+ goto truncated;
pos += 2;
/*
wpa_printf(MSG_DEBUG, "SAE: confirm: kck_len=%zu",
sta->sae->tmp->kck_len);
+ if (len - 2 < sta->sae->tmp->kck_len)
+ goto truncated;
pos += sta->sae->tmp->kck_len;
if (pos - mgmt->u.auth.variable > (int) len) {
+ truncated:
wpa_printf(MSG_DEBUG,
"EHT: Too short SAE confirm Authentication frame");
return NULL;
projects / thirdparty / hostap.git / commitdiff
