From 05e46a944ac6f5667b180e8ff49793e3c45ae6dd Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 7 Apr 2015 11:50:10 +0300 Subject: [PATCH] Ignore too long SSID element value in parser The SSID element is defined to have a valid length range of 0-32. While this length was supposed to validated by the users of the element parser, there are not really any valid cases where the maximum length of 32 octet SSID would be exceeded and as such, the parser itself can enforce the limit as an additional protection. Signed-off-by: Jouni Malinen --- src/common/ieee802_11_common.c | 6 ++++++ src/common/ieee802_11_defs.h | 2 ++ 2 files changed, 8 insertions(+) diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c index aca0b7322..c741e13b0 100644 --- a/src/common/ieee802_11_common.c +++ b/src/common/ieee802_11_common.c @@ -196,6 +196,12 @@ ParseRes ieee802_11_parse_elems(const u8 *start, size_t len, switch (id) { case WLAN_EID_SSID: + if (elen > SSID_MAX_LEN) { + wpa_printf(MSG_DEBUG, + "Ignored too long SSID element (elen=%u)", + elen); + break; + } elems->ssid = pos; elems->ssid_len = elen; break; diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h index 6e9c43cb2..62009f512 100644 --- a/src/common/ieee802_11_defs.h +++ b/src/common/ieee802_11_defs.h @@ -1354,4 +1354,6 @@ struct rrm_link_measurement_report { u8 variable[0]; } STRUCT_PACKED; +#define SSID_MAX_LEN 32 + #endif /* IEEE802_11_DEFS_H */