From: Jouni Malinen <j@w1.fi>
Date: Sun, 19 Apr 2015 08:42:02 +0000 (+0300)
Subject: wlantest: Verify FTIE length before checking MIC
X-Git-Tag: hostap_2_5~827
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4c4ec9240eed83f51300da17a7847cb36549dd7;p=thirdparty%2Fhostap.git

wlantest: Verify FTIE length before checking MIC

tdls_verify_mic() and tdls_verify_mic_teardown() could have tried to
read the 16-octet FTIE MIC when processing a TDLS frame even if the
received FTIE is truncated. At least in theory, this could result in
reading couple of octets beyond the frame buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/wlantest/rx_tdls.c b/wlantest/rx_tdls.c
index d9247c147..f059e8dd8 100644
--- a/wlantest/rx_tdls.c
+++ b/wlantest/rx_tdls.c
@@ -142,7 +142,8 @@ static int tdls_verify_mic(struct wlantest *wt, struct wlantest_tdls *tdls,
 	struct rsn_ftie *tmp_ftie;
 
 	if (elems->link_id == NULL || elems->rsn_ie == NULL ||
-	    elems->timeout_int == NULL || elems->ftie == NULL)
+	    elems->timeout_int == NULL || elems->ftie == NULL ||
+	    elems->ftie_len < sizeof(struct rsn_ftie))
 		return -1;
 
 	len = 2 * ETH_ALEN + 1 + 2 + 18 + 2 + elems->rsn_ie_len +
@@ -488,7 +489,8 @@ static int tdls_verify_mic_teardown(struct wlantest *wt,
 	const struct rsn_ftie *rx_ftie;
 	struct rsn_ftie *tmp_ftie;
 
-	if (elems->link_id == NULL || elems->ftie == NULL)
+	if (elems->link_id == NULL || elems->ftie == NULL ||
+	    elems->ftie_len < sizeof(struct rsn_ftie))
 		return -1;
 
 	len = 2 + 18 + 2 + 1 + 1 + 2 + elems->ftie_len;