d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[ifconfig] handle illegal WPS frames

Browse Source 
Some APs broadcast WPS IE frames with totally broken data.  Ifconfig's printwpsie()
loops through WPS frames printing the attributes out; if the frame's data is bad,
printwpsie() can end up looking at out-of-bounds addresses causing ifconfig to
bus error.

Thanks to Takashi Inoue at Nihon U for his efforts in debugging this.

PR:		bin/217312
Submitted by:	fbsd@opal.com
MFC after:	1 week
This commit is contained in:
Adrian Chadd 2017-02-23 20:49:17 +00:00
parent b853277efc
commit 843635d3b0
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sbin/ifconfig/ifieee80211.c
View File

@ -3160,6 +3160,14 @@ printwpsie(const char *tag, const u_int8_t *ie, size_t ielen, int maxlen)
uint16_t tlv_type = BE_READ_2(ie);
uint16_t tlv_len = BE_READ_2(ie + 2);
/* some devices broadcast invalid WPS frames */
if (tlv_len > len) {
printf("bad frame length tlv_type=0x%02x "
"tlv_len=%d len=%d", tlv_type, tlv_len,
len);
break;
}
ie += 4, len -= 4;
switch (tlv_type) {