|
|
919688 |
From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
|
|
|
919688 |
Message-Id: <947272febe24a8f0ea828b5b2f35f13c3821901e.1612435525.git.davide.caratti@gmail.com>
|
|
|
919688 |
From: Jouni Malinen <jouni@codeaurora.org>
|
|
|
919688 |
Date: Mon, 9 Nov 2020 11:43:12 +0200
|
|
|
919688 |
Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
|
|
|
919688 |
client
|
|
|
919688 |
|
|
|
919688 |
Parsing and copying of WPS secondary device types list was verifying
|
|
|
919688 |
that the contents is not too long for the internal maximum in the case
|
|
|
919688 |
of WPS messages, but similar validation was missing from the case of P2P
|
|
|
919688 |
group information which encodes this information in a different
|
|
|
919688 |
attribute. This could result in writing beyond the memory area assigned
|
|
|
919688 |
for these entries and corrupting memory within an instance of struct
|
|
|
919688 |
p2p_device. This could result in invalid operations and unexpected
|
|
|
919688 |
behavior when trying to free pointers from that corrupted memory.
|
|
|
919688 |
|
|
|
919688 |
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
|
|
|
919688 |
Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
|
|
|
919688 |
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
|
|
|
919688 |
---
|
|
|
919688 |
src/p2p/p2p.c | 2 ++
|
|
|
919688 |
1 file changed, 2 insertions(+)
|
|
|
919688 |
|
|
|
919688 |
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
|
|
|
919688 |
index 74b7b52ae..5cbfc217f 100644
|
|
|
919688 |
--- a/src/p2p/p2p.c
|
|
|
919688 |
+++ b/src/p2p/p2p.c
|
|
|
919688 |
@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
|
|
|
919688 |
dev->info.config_methods = cli->config_methods;
|
|
|
919688 |
os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
|
|
|
919688 |
dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
|
|
|
919688 |
+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
|
|
|
919688 |
+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
|
|
|
919688 |
os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
|
|
|
919688 |
dev->info.wps_sec_dev_type_list_len);
|
|
|
919688 |
}
|
|
|
919688 |
--
|
|
|
919688 |
2.29.2
|
|
|
919688 |
|