From: Jouni Malinen <jouni@codeaurora.org>
Date: Fri, 24 May 2019 13:59:25 +0000 (+0300)
Subject: WNM: Fix BSS Termination Duration subelement length validation
X-Git-Tag: hostap_2_9~275
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e8ebef87cb4bb57a9d4b1ca3bc1ee2979ff8c297;p=thirdparty%2Fhostap.git

WNM: Fix BSS Termination Duration subelement length validation

The length check for the BSS Termination Duration subelement was
accidentally removed and this could result in reading up to 10 bytes
beyond the end of a received frame. The actual read bytes would be
stored locally, but they were not used for anything, so other than
reading beyond the end of an allocated heap memory buffer, this did not
result in any behavior difference or exposure of the bytes.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14922
Fixes: 093226783dc7 ("WNM: Simplify how candidate subelements are stored")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 22a21361a..e6d7d6689 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -451,6 +451,11 @@ static void wnm_parse_neighbor_report_elem(struct neighbor_report *rep,
 		rep->preference_present = 1;
 		break;
 	case WNM_NEIGHBOR_BSS_TERMINATION_DURATION:
+		if (elen < 10) {
+			wpa_printf(MSG_DEBUG,
+				   "WNM: Too short BSS termination duration");
+			break;
+		}
 		rep->bss_term_tsf = WPA_GET_LE64(pos);
 		rep->bss_term_dur = WPA_GET_LE16(pos + 8);
 		rep->bss_term_present = 1;