tests: Skip malformed SAE authentication frames

The parsed 'length' field might pointsbeyond the end of the frame, for
some malformed frames. I haven't figured the source of said packets (I'm
using kernel 4.14.177, FWIW), but we can at least be safer about our
handling of them here.

Signed-off-by: Brian Norris <briannorris@chromium.org>

diff --git a/tests/hwsim/test_sae.py b/tests/hwsim/test_sae.py
index ed6ae89dc1b1337a03f137486b1dafdff6047f25..3722cd42719e9a468f2f7d4c250009a0e0348a6f 100644 (file)
--- a/tests/hwsim/test_sae.py
+++ b/tests/hwsim/test_sae.py
@@ -1788,8 +1788,10 @@ def build_sae_commit(bssid, addr, group=21, token=None):
 
 def sae_rx_commit_token_req(sock, radiotap, send_two=False):
     msg = sock.recv(1500)
-    ver, pad, len, present = struct.unpack('<BBHL', msg[0:8])
-    frame = msg[len:]
+    ver, pad, length, present = struct.unpack('<BBHL', msg[0:8])
+    frame = msg[length:]
+    if len(frame) < 4:
+        return False
     fc, duration = struct.unpack('<HH', frame[0:4])
     if fc != 0xb0:
         return False