Update IEEE802.11 Information Element

Add control check length into IE parsing function
2014-01-10 17:53:12 +01:00
parent d2c01ad82a
commit b4a95beb89
3 changed files with 89 additions and 21 deletions
--- a/src/binding/ieee80211/wifi_drivers.c
+++ b/src/binding/ieee80211/wifi_drivers.c
@ -675,46 +675,91 @@ int wifi_retrieve_information_elements_position(struct ieee80211_ie_items* items
 		/* Parsing Information Element */
 		switch (ie_id) {
 			case IEEE80211_IE_SSID: {
+				if (ie_len > IEEE80211_IE_SSID_MAX_LENGTH) {
+					return -1;
+				}
+
 				items->ssid = (struct ieee80211_ie_ssid*)data;
 				break;
 			}

 			case IEEE80211_IE_SUPPORTED_RATES: {
+				if ((ie_len < IEEE80211_IE_SUPPORTED_RATES_MIN_LENGTH) || (ie_len > IEEE80211_IE_SUPPORTED_RATES_MAX_LENGTH)) {
+					return -1;
+				}
+
 				items->supported_rates = (struct ieee80211_ie_supported_rates*)data;
 				break;
 			}

 			case IEEE80211_IE_DSSS: {
+				if (ie_len != IEEE80211_IE_DSSS_LENGTH) {
+					return -1;
+				}
+
 				items->dsss = (struct ieee80211_ie_dsss*)data;
 				break;
 			}

 			case IEEE80211_IE_COUNTRY: {
+				if (ie_len < IEEE80211_IE_COUNTRY_MIN_LENGTH) {
+					return -1;
+				}
+
 				items->country = (struct ieee80211_ie_country*)data;
 				break;
 			}

+			case IEEE80211_IE_CHALLENGE_TEXT: {
+				if (ie_len < IEEE80211_IE_CHALLENGE_TEXT_MIN_LENGTH) {
+					return -1;
+				}
+
+				items->challenge_text = (struct ieee80211_ie_challenge_text*)data;
+				break;
+			}
+
 			case IEEE80211_IE_ERP: {
+				if (ie_len != IEEE80211_IE_ERP_LENGTH) {
+					return -1;
+				}
+
 				items->erp = (struct ieee80211_ie_erp*)data;
 				break;
 			}

 			case IEEE80211_IE_EXTENDED_SUPPORTED_RATES: {
+				if (ie_len < IEEE80211_IE_EXTENDED_SUPPORTED_MIN_LENGTH) {
+					return -1;
+				}
+
 				items->extended_supported_rates = (struct ieee80211_ie_extended_supported_rates*)data;
 				break;
 			}

 			case IEEE80211_IE_EDCA_PARAMETER_SET: {
+				if (ie_len != IEEE80211_IE_EDCA_PARAMETER_SET_LENGTH) {
+					return -1;
+				}
+
 				items->edca_parameter_set = (struct ieee80211_ie_edca_parameter_set*)data;
 				break;
 			}

 			case IEEE80211_IE_QOS_CAPABILITY: {
+				if (ie_len != IEEE80211_IE_QOS_CAPABILITY_LENGTH) {
+					return -1;
+				}
+
 				items->qos_capability = (struct ieee80211_ie_qos_capability*)data;
 				break;
 			}

 			case IEEE80211_IE_POWER_CONSTRAINT: {
+				if (ie_len != IEEE80211_IE_POWER_CONSTRAINT_LENGTH) {
+					return -1;
+				}
+
 				items->power_constraint = (struct ieee80211_ie_power_constraint*)data;
 				break;
 			}