From: Jouni Malinen <j@w1.fi>
Date: Sat, 7 Jun 2014 16:21:48 +0000 (+0300)
Subject: TDLS: Add extra validation step for responder RSN IE length
X-Git-Tag: hostap_2_3~342
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f4d51e059f3685adb0e2de195c83dd4a2e0729d;p=thirdparty%2Fhostap.git

TDLS: Add extra validation step for responder RSN IE length

The following kde.rsn_ie_len != peer->rsnie_i_len was already taking
care of enforcing the length to be within the target buffer length.
Anyway, this explicit check makes this clearer and matches the design in
TPK M1 processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 3b1465606..84b7c1bef 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -2098,6 +2098,13 @@ static int wpa_tdls_process_tpk_m2(struct wpa_sm *sm, const u8 *src_addr,
 	wpa_hexdump(MSG_DEBUG, "TDLS: RSN IE Received from TPK M2",
 		    kde.rsn_ie, kde.rsn_ie_len);
 
+	if (kde.rsn_ie_len > TDLS_MAX_IE_LEN) {
+		wpa_printf(MSG_INFO,
+			   "TDLS: Too long Responder RSN IE in TPK M2");
+		status = WLAN_STATUS_INVALID_RSNIE;
+		goto error;
+	}
+
 	/*
 	 * FIX: bitwise comparison of RSN IE is not the correct way of
 	 * validation this. It can be different, but certain fields must