Patchwork dbus: validate SSID length in new D-Bus scan request

login
register
mail settings
Submitter Sam Leffler
Date Jan. 18, 2012, 10:18 p.m.
Message ID <20120118222954.EB5EF58072@lefflers.sfo.corp.google.com>
Download mbox | patch
Permalink /patch/136708/
State Accepted
Commit f9121813d75f5d21c786eaa94f108463d64a2ace
Headers show

Comments

Sam Leffler - Jan. 18, 2012, 10:18 p.m.
Validate the length of each SSID passed in a new D-Bus protocol
Scan request.

Change-Id: I6c4bc44bc0ea41b80e3354af82ccd5ef64e617dc
---
 wpa_supplicant/dbus/dbus_new_handlers.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)
Jouni Malinen - Jan. 22, 2012, 10:03 a.m.
On Wed, Jan 18, 2012 at 02:18:18PM -0800, Sam Leffler wrote:
> Validate the length of each SSID passed in a new D-Bus protocol
> Scan request.

Thanks! Applied.

Patch

diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
index e3526d4..f90c060 100644
--- a/wpa_supplicant/dbus/dbus_new_handlers.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
@@ -921,6 +921,16 @@  static int wpas_dbus_get_scan_ssids(DBusMessage *message, DBusMessageIter *var,
 
 		dbus_message_iter_get_fixed_array(&sub_array_iter, &val, &len);
 
+		if (len > MAX_SSID_LEN) {
+			wpa_printf(MSG_DEBUG,
+				   "wpas_dbus_handler_scan[dbus]: "
+				   "SSID too long (len=%d max_len=%d)",
+				   len, MAX_SSID_LEN);
+			*reply = wpas_dbus_error_invalid_args(
+				message, "Invalid SSID: too long");
+			return -1;
+		}
+
 		if (len != 0) {
 			ssid = os_malloc(len);
 			if (ssid == NULL) {