From 36b5e559f1387d4e02059753ecfb04461d62f381 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 27 Sep 2008 10:49:56 +0300 Subject: [PATCH] Validate WEXT event iwe->u.data.length before using the event data This is needed to avoid crashing wpa_supplicant with invalid event messages that may be received when using 64-bit kernel with 32-bit userspace. --- src/drivers/driver_wext.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/src/drivers/driver_wext.c b/src/drivers/driver_wext.c index a3c4733bd..6b7f1a723 100644 --- a/src/drivers/driver_wext.c +++ b/src/drivers/driver_wext.c @@ -652,12 +652,20 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv, } break; case IWEVMICHAELMICFAILURE: + if (custom + iwe->u.data.length > end) { + wpa_printf(MSG_DEBUG, "WEXT: Invalid " + "IWEVMICHAELMICFAILURE length"); + return; + } wpa_driver_wext_event_wireless_michaelmicfailure( ctx, custom, iwe->u.data.length); break; case IWEVCUSTOM: - if (custom + iwe->u.data.length > end) + if (custom + iwe->u.data.length > end) { + wpa_printf(MSG_DEBUG, "WEXT: Invalid " + "IWEVCUSTOM length"); return; + } buf = os_malloc(iwe->u.data.length + 1); if (buf == NULL) return; @@ -673,14 +681,29 @@ static void wpa_driver_wext_event_wireless(struct wpa_driver_wext_data *drv, wpa_supplicant_event(ctx, EVENT_SCAN_RESULTS, NULL); break; case IWEVASSOCREQIE: + if (custom + iwe->u.data.length > end) { + wpa_printf(MSG_DEBUG, "WEXT: Invalid " + "IWEVASSOCREQIE length"); + return; + } wpa_driver_wext_event_wireless_assocreqie( drv, custom, iwe->u.data.length); break; case IWEVASSOCRESPIE: + if (custom + iwe->u.data.length > end) { + wpa_printf(MSG_DEBUG, "WEXT: Invalid " + "IWEVASSOCRESPIE length"); + return; + } wpa_driver_wext_event_wireless_assocrespie( drv, custom, iwe->u.data.length); break; case IWEVPMKIDCAND: + if (custom + iwe->u.data.length > end) { + wpa_printf(MSG_DEBUG, "WEXT: Invalid " + "IWEVPMKIDCAND length"); + return; + } wpa_driver_wext_event_wireless_pmkidcand( drv, custom, iwe->u.data.length); break;