Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-02-20 02:53:03 -05:00
Code Issues Projects Releases Wiki Activity

P2P: Fix wfd_dev_info parsing for P2P-DEVICE-FOUND (CID 68127)

Browse Source 
Commit b125c48fce823f28d22ebd68297c5b94366c6aa1 ('P2P: Add wfd_dev_info=
field for device found event') added Wi-Fi Display device info to the
P2P-DEVICE-FOUND events. However, it did not include proper bounds
checking in wifi_display_subelem_hex() and could accept subelements with
invalid length field values. This could result in buffer read overflow
of up to 64 kB and inclusion of heap memory in the local control
interface event and/or process crash due to invalid memory access. Fix
this by checking the validity of the length field before writing a
hexdump of the data.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-06-13 15:25:39 +03:00
parent 1851e17a64
commit 49d13df63c
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
wpa_supplicant/wifi_display.c
View File

@ -276,6 +276,8 @@ char * wifi_display_subelem_hex(const struct wpabuf *wfd_subelems, u8 id)
while (i + WIFI_DISPLAY_SUBELEM_HEADER_LEN < buflen) {
elen = WPA_GET_BE16(buf + i + 1);
if (i + WIFI_DISPLAY_SUBELEM_HEADER_LEN + elen > buflen)
break; /* truncated subelement */
if (buf[i] == id) {
subelem = os_zalloc(2 * elen + 1);