Ignore too long SSID element value in parser The SSID element is defined to have a valid length range of 0-32. While this length was supposed to validated by the users of the element parser, there are not really any valid cases where the maximum length of 32 octet SSID would be exceeded and as such, the parser itself can enforce the limit as an additional protection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

commit: 05e46a944ac6f5667b180e8ff49793e3c45ae6dd [log] [tgz]
author: Jouni Malinen <jouni@qca.qualcomm.com> Tue Apr 07 11:50:10 2015 +0300
committer: Jouni Malinen <j@w1.fi> Wed Apr 22 11:44:18 2015 +0300
tree: f5f749a871d092aa6828e9212b0b5b22a5f577ff
parent: 9ed4eee345f85e3025c33c6e20aa25696e341ccd [diff]
diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index aca0b73..c741e13 100644
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c

@@ -196,6 +196,12 @@
 
 		switch (id) {
 		case WLAN_EID_SSID:
+			if (elen > SSID_MAX_LEN) {
+				wpa_printf(MSG_DEBUG,
+					   "Ignored too long SSID element (elen=%u)",
+					   elen);
+				break;
+			}
 			elems->ssid = pos;
 			elems->ssid_len = elen;
 			break;

diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h
index 6e9c43c..62009f5 100644
--- a/src/common/ieee802_11_defs.h
+++ b/src/common/ieee802_11_defs.h

@@ -1354,4 +1354,6 @@
 	u8 variable[0];
 } STRUCT_PACKED;
 
+#define SSID_MAX_LEN 32
+
 #endif /* IEEE802_11_DEFS_H */
commit	05e46a944ac6f5667b180e8ff49793e3c45ae6dd	[log] [tgz]
author	Jouni Malinen <jouni@qca.qualcomm.com>	Tue Apr 07 11:50:10 2015 +0300
committer	Jouni Malinen <j@w1.fi>	Wed Apr 22 11:44:18 2015 +0300
tree	f5f749a871d092aa6828e9212b0b5b22a5f577ff
parent	9ed4eee345f85e3025c33c6e20aa25696e341ccd [diff]