Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

wpa_supplicant: Check length when building ext_capability in assoc_cb

When building wpa_ie in wpas_start_assoc_cb() with ext_capab,
make sure that assignment does not exceed max_wpa_ie_len.

Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
Adiel Aloni 7 years ago
parent
fdbfb63e45
commit
2c66c7d115
1 changed files with 2 additions and 1 deletions
Split View Show Diff Stats
  1. 2 1
      wpa_supplicant/wpa_supplicant.c

+ 2 - 1
wpa_supplicant/wpa_supplicant.c
View File 

@@ -2572,7 +2572,8 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
 
 		int ext_capab_len;
 
 		ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
 
 						     sizeof(ext_capab));
 
-		if (ext_capab_len > 0) {
 
+		if (ext_capab_len > 0 &&
 
+		    wpa_ie_len + ext_capab_len <= max_wpa_ie_len) {
 
 			u8 *pos = wpa_ie;
 
 			if (wpa_ie_len > 0 && pos[0] == WLAN_EID_RSN)
 
 				pos += 2 + pos[1];