From: Jouni Malinen <jouni.malinen@atheros.com>
Date: Mon, 17 Jan 2011 10:21:29 +0000 (+0200)
Subject: AP: Validate management frame length
X-Git-Tag: hostap-1-bp~632
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbcf92b42f237190b006ca8c3078593a58cbeac6;p=thirdparty%2Fhostap.git

AP: Validate management frame length

Make sure that received management frames are long enough before
processing them. This avoids a potential segmentation fault if a
driver delivers an invalid frame all the way to hostapd.
---

diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index 55c065403..380fb8d73 100644
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -211,6 +211,8 @@ void handle_probe_req(struct hostapd_data *hapd,
 	size_t i;
 
 	ie = mgmt->u.probe_req.variable;
+	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req))
+		return;
 	ie_len = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req));
 
 	for (i = 0; hapd->probereq_cb && i < hapd->num_probereq_cb; i++)
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 94898cc9f..f65b79e30 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1460,6 +1460,9 @@ void ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
 	int broadcast;
 	u16 fc, stype;
 
+	if (len < 24)
+		return;
+
 	mgmt = (struct ieee80211_mgmt *) buf;
 	fc = le_to_host16(mgmt->frame_control);
 	stype = WLAN_FC_GET_STYPE(fc);