From 1739d50c206c6c81125e85cd6e99baac9128668c Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 8 May 2022 17:18:58 +0300 Subject: [PATCH] FST: More robust bounds checking of local data in fst_dump_mb_ies() Check the full MBIE length against the buffer length explicitly before the debug print. This is for locally generated data, so the bounds checking is not critical here, but it is better to use proper checking anyway to avoid static analyzer complaints. Signed-off-by: Jouni Malinen --- src/fst/fst_group.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/fst/fst_group.c b/src/fst/fst_group.c index d1c401497..255d0fdc9 100644 --- a/src/fst/fst_group.c +++ b/src/fst/fst_group.c @@ -28,8 +28,13 @@ static void fst_dump_mb_ies(const char *group_id, const char *ifname, while (s >= 2) { const struct multi_band_ie *mbie = (const struct multi_band_ie *) p; + size_t len; + WPA_ASSERT(mbie->eid == WLAN_EID_MULTI_BAND); WPA_ASSERT(2U + mbie->len >= sizeof(*mbie)); + len = 2 + mbie->len; + if (len > s) + break; fst_printf(MSG_WARNING, "%s: %s: mb_ctrl=%u band_id=%u op_class=%u chan=%u bssid=" @@ -45,8 +50,8 @@ static void fst_dump_mb_ies(const char *group_id, const char *ifname, mbie->mb_connection_capability, mbie->fst_session_tmout); - p += 2 + mbie->len; - s -= 2 + mbie->len; + p += len; + s -= len; } } -- 2.47.2