From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Date: Tue, 19 Aug 2025 19:25:27 +0000 (+0300)
Subject: P2P2: Fix potential buffer overflow in PBMA parsing
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=af2886cbabca3246ba8b4c40d2813c36cde35f86;p=thirdparty%2Fhostap.git

P2P2: Fix potential buffer overflow in PBMA parsing

Received cookie length wasn't checked resulting in a heap overflow with
an arbitrary data received in the frame if the contents was larger than
a fixed size buffer. Fix this by explicitly checking there buffer to be
sufficient large.

Fixes: 59299a8a7d59 ("P2P2: Add bootstrapping support with PD frames")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
---

diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
index b0f893e7f..d9bff5a68 100644
--- a/src/p2p/p2p_pd.c
+++ b/src/p2p/p2p_pd.c
@@ -1694,6 +1694,12 @@ static void p2p_process_prov_disc_bootstrap_resp(struct p2p_data *p2p,
 			p2p_dbg(p2p, "Truncated PBMA");
 			return;
 		}
+
+		if (cookie_len > sizeof(dev->bootstrap_params->cookie)) {
+			p2p_dbg(p2p, "Too long PBMA cookie");
+			return;
+		}
+
 		cookie = pos;
 
 		dev->bootstrap_params =