From: Jouni Malinen <jouni.malinen@atheros.com>
Date: Wed, 13 Apr 2011 23:39:25 +0000 (+0300)
Subject: Add sanity checks to EVENT_RX_PROBE_REQ event data
X-Git-Tag: hostap-1-bp~411
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b211f3eb715f208ab3dd2ca6e4296f445e9d3725;p=thirdparty%2Fhostap.git

Add sanity checks to EVENT_RX_PROBE_REQ event data

Both the SA and IEs from the received Probe Request frames must be
included and the Probe Request RX callback functions may assume that
these are not NULL.
---

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 92b05ca34..7bc8be294 100644
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -253,8 +253,10 @@ int hostapd_probe_req_rx(struct hostapd_data *hapd, const u8 *sa,
 	size_t i;
 	int ret = 0;
 
-	if (sa)
-		random_add_randomness(sa, ETH_ALEN);
+	if (sa == NULL || ie == NULL)
+		return -1;
+
+	random_add_randomness(sa, ETH_ALEN);
 	for (i = 0; hapd->probereq_cb && i < hapd->num_probereq_cb; i++) {
 		if (hapd->probereq_cb[i].cb(hapd->probereq_cb[i].ctx,
 					    sa, ie, ie_len) > 0) {
@@ -491,6 +493,9 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
 		break;
 #endif /* NEED_AP_MLME */
 	case EVENT_RX_PROBE_REQ:
+		if (data->rx_probe_req.sa == NULL ||
+		    data->rx_probe_req.ie == NULL)
+			break;
 		hostapd_probe_req_rx(hapd, data->rx_probe_req.sa,
 				     data->rx_probe_req.ie,
 				     data->rx_probe_req.ie_len);
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 4d7fa82b6..3e6d0143e 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -2012,6 +2012,9 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
 #endif /* CONFIG_P2P */
 		break;
 	case EVENT_RX_PROBE_REQ:
+		if (data->rx_probe_req.sa == NULL ||
+		    data->rx_probe_req.ie == NULL)
+			break;
 #ifdef CONFIG_AP
 		if (wpa_s->ap_iface) {
 			hostapd_probe_req_rx(wpa_s->ap_iface->bss[0],