Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

AP: Validate management frame length

Make sure that received management frames are long enough before
processing them. This avoids a potential segmentation fault if a
driver delivers an invalid frame all the way to hostapd.
Jouni Malinen 14 years ago
parent
e4d7b22a53
commit
cbcf92b42f
2 changed files with 5 additions and 0 deletions
Split View Show Diff Stats
  1. 2 0
      src/ap/beacon.c
  2. 3 0
      src/ap/ieee802_11.c

+ 2 - 0
src/ap/beacon.c
View File 

@@ -211,6 +211,8 @@ void handle_probe_req(struct hostapd_data *hapd,
 
 	size_t i;
 
 
 	ie = mgmt->u.probe_req.variable;
 
+	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req))
 
+		return;
 
 	ie_len = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req));
 
 
 	for (i = 0; hapd->probereq_cb && i < hapd->num_probereq_cb; i++)

+ 3 - 0
src/ap/ieee802_11.c
View File 

@@ -1460,6 +1460,9 @@ void ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
 
 	int broadcast;
 
 	u16 fc, stype;
 
 
+	if (len < 24)
 
+		return;
 
+
 
 	mgmt = (struct ieee80211_mgmt *) buf;
 
 	fc = le_to_host16(mgmt->frame_control);
 
 	stype = WLAN_FC_GET_STYPE(fc);