|
@@ -442,6 +442,7 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa,
|
|
|
u16 comeback_delay, resp_len;
|
|
u16 comeback_delay, resp_len;
|
|
|
const u8 *pos, *adv_proto;
|
|
const u8 *pos, *adv_proto;
|
|
|
int prot, pmf;
|
|
int prot, pmf;
|
|
|
|
|
+ unsigned int left;
|
|
|
|
|
|
|
|
if (gas == NULL || len < 4)
|
|
if (gas == NULL || len < 4)
|
|
|
return -1;
|
|
return -1;
|
|
@@ -543,17 +544,17 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa,
|
|
|
resp_len = WPA_GET_LE16(pos);
|
|
resp_len = WPA_GET_LE16(pos);
|
|
|
pos += 2;
|
|
pos += 2;
|
|
|
|
|
|
|
|
- if (pos + resp_len > data + len) {
|
|
|
|
|
|
|
+ left = data + len - pos;
|
|
|
|
|
+ if (resp_len > left) {
|
|
|
wpa_printf(MSG_DEBUG, "GAS: Truncated Query Response in "
|
|
wpa_printf(MSG_DEBUG, "GAS: Truncated Query Response in "
|
|
|
"response from " MACSTR, MAC2STR(sa));
|
|
"response from " MACSTR, MAC2STR(sa));
|
|
|
return 0;
|
|
return 0;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- if (pos + resp_len < data + len) {
|
|
|
|
|
|
|
+ if (resp_len < left) {
|
|
|
wpa_printf(MSG_DEBUG, "GAS: Ignore %u octets of extra data "
|
|
wpa_printf(MSG_DEBUG, "GAS: Ignore %u octets of extra data "
|
|
|
"after Query Response from " MACSTR,
|
|
"after Query Response from " MACSTR,
|
|
|
- (unsigned int) (data + len - pos - resp_len),
|
|
|
|
|
- MAC2STR(sa));
|
|
|
|
|
|
|
+ left - resp_len, MAC2STR(sa));
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
if (action == WLAN_PA_GAS_COMEBACK_RESP)
|
|
if (action == WLAN_PA_GAS_COMEBACK_RESP)
|
Jouni Malinen