[PATCH 10/23] P2PS: Add validation for P2PS PD request

[Jouni Malinen]

On Thu, Sep 24, 2015 at 08:38:00PM +0300, Ilan Peer wrote:
> Validate that all the required attributes appear in a P2PS PD request,
> and in addition in case of follow-on PD request, check that the given
> values match those of the original PD request.

This seems to be losing couple of checks and potentially allowing DoS
attacks due to NULL pointer dereferences..


> +static int p2ps_validate_pd_req(struct p2p_data *p2p,

> +	P2PS_PD_REQ_CHECK(1, adv_id);
> +	P2PS_PD_REQ_CHECK(1, session_id);
> +	P2PS_PD_REQ_CHECK(1, capability);
> +	P2PS_PD_REQ_CHECK(1, p2p_device_info);
> +	P2PS_PD_REQ_CHECK(1, feature_cap);

session_mac and adv_mac missing here..


> @@ -538,21 +645,21 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
> -	if (!msg.adv_id || !msg.session_id || !msg.session_mac ||
> -	    !msg.adv_mac || !msg.feature_cap ||
> -	    msg.feature_cap_len < sizeof(*req_fcap) ||
> -	    !(msg.status || msg.conn_cap))

While they were checked here..

>  	req_fcap = (struct p2ps_feature_capab *) msg.feature_cap;

And are being dereferenced unconditionally after that line..

Am I missing something here? I added these to my work branch to avoid
NULL pointer dereference:

+       P2PS_PD_REQ_CHECK(1, session_mac);
+       P2PS_PD_REQ_CHECK(1, adv_mac);

-- 
Jouni Malinen                                            PGP id EFC895FA