From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001

Message-Id: <947272febe24a8f0ea828b5b2f35f13c3821901e.1612435525.git.davide.caratti@gmail.com>

From: Jouni Malinen <jouni@codeaurora.org>

Date: Mon, 9 Nov 2020 11:43:12 +0200

Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group

 client

Parsing and copying of WPS secondary device types list was verifying

that the contents is not too long for the internal maximum in the case

of WPS messages, but similar validation was missing from the case of P2P

group information which encodes this information in a different

attribute. This could result in writing beyond the memory area assigned

for these entries and corrupting memory within an instance of struct

p2p_device. This could result in invalid operations and unexpected

behavior when trying to free pointers from that corrupted memory.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269

Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

---

 src/p2p/p2p.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c

index 74b7b52ae..5cbfc217f 100644

--- a/src/p2p/p2p.c

+++ b/src/p2p/p2p.c

@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,

 	dev->info.config_methods = cli->config_methods;

 	os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);

 	dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;

+	if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)

+		dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;

 	os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,

 		  dev->info.wps_sec_dev_type_list_len);

 }

-- 

2.29.2