privsep: Fix scan result fetching with Beacon frame IEs

wpa_priv did not yet support Beacon frame IEs (res->beacon_ie_len) which
resulted in invalid scan data being accepted in driver_privsep.c. Add
support for res->beacon_ie_len and also fix the validation step to take
this new variable length field into account.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/drivers/driver_privsep.c b/src/drivers/driver_privsep.c
index 5d8503301160de77eeb2d84db13736201712cf42..68fd261a807a785ac5b0e99fa167fef6edda0970 100644 (file)
--- a/src/drivers/driver_privsep.c
+++ b/src/drivers/driver_privsep.c
@@ -173,7 +173,11 @@ wpa_driver_privsep_get_scan_results2(void *priv)
                        break;
                os_memcpy(r, pos, len);
                pos += len;
-               if (sizeof(*r) + r->ie_len > (size_t) len) {
+               if (sizeof(*r) + r->ie_len + r->beacon_ie_len > (size_t) len) {
+                       wpa_printf(MSG_ERROR,
+                                  "privsep: Invalid scan result len (%d + %d + %d > %d)",
+                                  (int) sizeof(*r), (int) r->ie_len,
+                                  (int) r->beacon_ie_len, len);
                        os_free(r);
                        break;
                }

diff --git a/wpa_supplicant/wpa_priv.c b/wpa_supplicant/wpa_priv.c
index 6de590a5285ebfab962a8623921bd6125d1fa50f..328972f3ee175dac86e5b953e520e302c0398473 100644 (file)
--- a/wpa_supplicant/wpa_priv.c
+++ b/wpa_supplicant/wpa_priv.c
@@ -177,7 +177,7 @@ static void wpa_priv_get_scan_results2(struct wpa_priv_interface *iface,
 
        for (i = 0; i < res->num; i++) {
                struct wpa_scan_res *r = res->res[i];
-               val = sizeof(*r) + r->ie_len;
+               val = sizeof(*r) + r->ie_len + r->beacon_ie_len;
                if (end - pos < (int) sizeof(int) + val)
                        break;
                os_memcpy(pos, &val, sizeof(int));