From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 22 Feb 2021 22:30:09 +0000 (+0200)
Subject: Fix handle_auth_cb() message length check regression
X-Git-Tag: hostap_2_10~527
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc72854fe2fb726068de8c9bf2d0737b05cd975d;p=thirdparty%2Fhostap.git

Fix handle_auth_cb() message length check regression

Reordering of code in handle_auth_cb() when adding support for full
station state messaged up frame length checks. The length was originally
tested before looking at the payload of the frame and that is obviously
the correct location for that check. The location after those full state
state changes was after having read six octets of the payload which did
not help at all since there was no addition accesses to the payload
after that check.

Move the payload length check to appropriate place to get this extra
level of protection behaving in the expected manner. Since this is a TX
status callback handler, the frame payload is from a locally generated
Authentication frame and as such, it will be long enough to include
these fields in production use cases. Anyway, better keep this check in
working condition.

Fixes: bb598c3bdd06 ("AP: Add support for full station state")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 233da7bfc..40d4a3381 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -6202,6 +6202,15 @@ static void handle_auth_cb(struct hostapd_data *hapd,
 		return;
 	}
 
+	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
+		wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
+			   (unsigned long) len);
+		auth_alg = 0;
+		auth_transaction = 0;
+		status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
+		goto fail;
+	}
+
 	auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
 	auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
 	status_code = le_to_host16(mgmt->u.auth.status_code);
@@ -6213,12 +6222,6 @@ static void handle_auth_cb(struct hostapd_data *hapd,
 		goto fail;
 	}
 
-	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
-		wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
-			   (unsigned long) len);
-		goto fail;
-	}
-
 	if (status_code == WLAN_STATUS_SUCCESS &&
 	    ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
 	     (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {