diff options
author | eadler <eadler@FreeBSD.org> | 2018-03-05 07:14:56 +0000 |
---|---|---|
committer | eadler <eadler@FreeBSD.org> | 2018-03-05 07:14:56 +0000 |
commit | e04bce9b4972e0f91b7874fed99e7a1c35f19095 (patch) | |
tree | e4943474ceb602b5d32ee61ef9cc42fa3978d0ae | |
parent | d9f0962eb4bedc5ddb46961cf4de49c97755c266 (diff) | |
download | FreeBSD-src-e04bce9b4972e0f91b7874fed99e7a1c35f19095.zip FreeBSD-src-e04bce9b4972e0f91b7874fed99e7a1c35f19095.tar.gz |
MFC r314181:
[ifconfig] handle illegal WPS frames
Some APs broadcast WPS IE frames with totally broken data. Ifconfig's printwpsie()
loops through WPS frames printing the attributes out; if the frame's data is bad,
printwpsie() can end up looking at out-of-bounds addresses causing ifconfig to
bus error.
Thanks to Takashi Inoue at Nihon U for his efforts in debugging this.
PR: bin/217312
-rw-r--r-- | sbin/ifconfig/ifieee80211.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/sbin/ifconfig/ifieee80211.c b/sbin/ifconfig/ifieee80211.c index ddaf980..7e44556 100644 --- a/sbin/ifconfig/ifieee80211.c +++ b/sbin/ifconfig/ifieee80211.c @@ -2997,6 +2997,14 @@ printwpsie(const char *tag, const u_int8_t *ie, size_t ielen, int maxlen) uint16_t tlv_type = BE_READ_2(ie); uint16_t tlv_len = BE_READ_2(ie + 2); + /* some devices broadcast invalid WPS frames */ + if (tlv_len > len) { + printf("bad frame length tlv_type=0x%02x " + "tlv_len=%d len=%d", tlv_type, tlv_len, + len); + break; + } + ie += 4, len -= 4; switch (tlv_type) { |