P2P2: Fix potential buffer overflow in PBMA parsing

Received cookie length wasn't checked resulting in a heap overflow with
an arbitrary data received in the frame if the contents was larger than
a fixed size buffer. Fix this by explicitly checking there buffer to be
sufficient large.

Fixes: 59299a8a7d59 ("P2P2: Add bootstrapping support with PD frames")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
index b0f893e7f5ee8511587412efdbbaf3c4b3caa290..d9bff5a68cee6ac5f638edb7a39cc16d8345bf8e 100644 (file)
--- a/src/p2p/p2p_pd.c
+++ b/src/p2p/p2p_pd.c
@@ -1694,6 +1694,12 @@ static void p2p_process_prov_disc_bootstrap_resp(struct p2p_data *p2p,
                        p2p_dbg(p2p, "Truncated PBMA");
                        return;
                }
+
+               if (cookie_len > sizeof(dev->bootstrap_params->cookie)) {
+                       p2p_dbg(p2p, "Too long PBMA cookie");
+                       return;
+               }
+
                cookie = pos;
 
                dev->bootstrap_params =