From fe1dc9ba772fbf426b45983e7714087bcb74ecd0 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 8 May 2022 12:19:42 +0300 Subject: [PATCH] WNM: Try to make bounds checking easier for static analyzers The length of the URL, i.e., pos[0], is verified here to be within the bounds of the recieved message, but that seemed to be done in a manner that might bee too complex for static analyzers to understand. Signed-off-by: Jouni Malinen --- wpa_supplicant/wnm_sta.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c index 96160dccb..0a4b9d474 100644 --- a/wpa_supplicant/wnm_sta.c +++ b/wpa_supplicant/wnm_sta.c @@ -1453,15 +1453,22 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s, if (wpa_s->wnm_mode & WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT) { char url[256]; + u8 url_len; - if (end - pos < 1 || 1 + pos[0] > end - pos) { + if (end - pos < 1) { wpa_printf(MSG_DEBUG, "WNM: Invalid BSS Transition " "Management Request (URL)"); return; } - os_memcpy(url, pos + 1, pos[0]); - url[pos[0]] = '\0'; - pos += 1 + pos[0]; + url_len = *pos++; + if (url_len > end - pos) { + wpa_printf(MSG_DEBUG, + "WNM: Invalid BSS Transition Management Request (URL truncated)"); + return; + } + os_memcpy(url, pos, url_len); + url[url_len] = '\0'; + pos += url_len; wpa_msg(wpa_s, MSG_INFO, ESS_DISASSOC_IMMINENT "%d %u %s", wpa_sm_pmf_enabled(wpa_s->wpa), -- 2.47.2