[PATCH 15/25] WNM: Add candidate list to BSS transition response

Peer, Ilan ilan.peer at intel.com
Mon Feb 22 01:35:18 PST 2016


> -----Original Message-----
> From: Jouni Malinen [mailto:j at w1.fi]
> Sent: Monday, February 22, 2016 10:24
> To: Peer, Ilan
> Cc: hostap at lists.infradead.org; Stern, Avraham
> Subject: Re: [PATCH 15/25] WNM: Add candidate list to BSS transition
> response
> 
> On Mon, Feb 15, 2016 at 04:53:41PM +0200, Ilan Peer wrote:
> > Add the transition candidate list to BSS transition response.
> > The candidates preference is set using the regular wpa_supplicant BSS
> > selection logic.
> > If the BSS transition request is rejected and updated scan results are
> > not available, the list is not added.
> 
> > +static int wnm_nei_rep_add_bss(struct wpa_supplicant *wpa_s,
> 
> > +	ie = wpa_bss_get_ie(bss, WLAN_EID_VHT_OPERATION);
> > +	if (ie) {
> > +		vht_oper = (struct ieee80211_vht_operation *)(ie + 2);
> > +
> > +		switch (vht_oper->vht_op_info_chwidth) {
> 
> This could result in buffer overflow since ie[1] was not checked to be large
> enough. I'm just noting this here, but there are similar buffer overflow
> through number of these patches. Whenever using information received
> from an external entity, all the length fields need to be checked to be valid
> before reading data.
> 

Agree. 

> > +		case 2:
> > +			vht = VHT_CHANWIDTH_80MHZ;
> > +			break;
> > +		case 3:
> > +			vht = VHT_CHANWIDTH_160MHZ;
> > +			break;
> > +		case 4:
> > +			vht = VHT_CHANWIDTH_80P80MHZ;
> > +			break;
> > +		default:
> > +			vht = 0;
> > +		}
> > +	}
> > +
> > +	if (ieee80211_freq_to_channel_ext(bss->freq, sec_chan, vht,
> &op_class,
> > +					  &chan) == NUM_HOSTAPD_MODES)
> {
> 
> Why is that conversion from vht_oper->vht_op_info_chwidth to vht used
> here when the Channel Width field in the VHT Operation element is using
> those VHT_CHANWIDTH_* values? The values 2, 3, and 4 here do not match
> the values used in this field and the correct thing to do would seem to be
> simply to set vht = vht_oper->vht_op_info_chwidth.
> 

This is indeed wrong. I think that we got this confused with the values defined in Table 8-151 (HT/VHT Operation Information subfields) as defined in P802.11REVmc D4.3.

Shall I resubmit this patch with the fixes?

Thanks in advance,

Ilan.



More information about the Hostap mailing list