From: Marcel Holtmann <marcel@holtmann.org>
Date: Mon, 4 May 2009 16:49:09 +0000 (-0700)
Subject: add length checks for WPA/RSN cipher and authentication suites
X-Git-Tag: v0.9.14~24
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=31d477fb191d14e3860d2d0b162d33ea87237bdb;p=thirdparty%2Fiw.git

add length checks for WPA/RSN cipher and authentication suites
---

diff --git a/scan.c b/scan.c
index 720c48d..9698f9f 100644
--- a/scan.c
+++ b/scan.c
@@ -317,9 +317,12 @@ static void print_rsn_ie(const char *defcipher, const char *defauth,
 	}
 
 	count = data[0] | (data[1] << 8);
+	if (2 + (count * 4) > len)
+		goto invalid;
+
 	tab_on_first(&first);
 	printf("\t * Pairwise ciphers:");
-	for (i=0; i<count; i++) {
+	for (i = 0; i < count; i++) {
 		printf(" ");
 		print_cipher(data + 2 + (i * 4));
 	}
@@ -335,6 +338,9 @@ static void print_rsn_ie(const char *defcipher, const char *defauth,
 	}
 
 	count = data[0] | (data[1] << 8);
+	if (2 + (count * 4) > len)
+		goto invalid;
+
 	tab_on_first(&first);
 	printf("\t * Authentication suites:");
 	for (i = 0; i < count; i++) {
@@ -352,6 +358,20 @@ static void print_rsn_ie(const char *defcipher, const char *defauth,
 	capa = data[0] | (data[1] << 8);
 	tab_on_first(&first);
 	printf("\t * Capabilities: 0x%.4x\n", capa);
+
+	data += 2;
+	len -= 2;
+
+invalid:
+	if (len != 0) {
+		printf("\t\t * bogus tail data (%d):", len);
+		while (len) {
+			printf(" %.2x", *data);
+			data++;
+			len--;
+		}
+		printf("\n");
+	}
 }
 
 static void print_rsn(const uint8_t type, uint8_t len, const uint8_t *data)