[wpa_supplicant] Fix security vulnerability p2p_supplicant_sd.c:564
Fix Security Vulnerability - Security Report - [Out of bounds read in
wpas_sd_req_asp in external/wpa_supplicant_8/wpa_supplicant/p2p_supplicant_sd.c:564]
Bug: 120905706
Test: Connect to AP, run traffic
Test: Run poc_p2p_supplicant_sd_564 on device, comfirm new error message
appears
Change-Id: Ide2a7d41d5e87c79643e9ef23c2edb7ac1277a25
diff --git a/wpa_supplicant/p2p_supplicant_sd.c b/wpa_supplicant/p2p_supplicant_sd.c
index f8675e6..fb30584 100644
--- a/wpa_supplicant/p2p_supplicant_sd.c
+++ b/wpa_supplicant/p2p_supplicant_sd.c
@@ -559,9 +559,9 @@
const u8 *query, size_t query_len)
{
struct p2ps_advertisement *adv_data;
- const u8 *svc = &query[1];
+ const u8 *svc;
const u8 *info = NULL;
- size_t svc_len = query[0];
+ size_t svc_len;
size_t info_len = 0;
int prefix = 0;
u8 *count_pos = NULL;
@@ -569,6 +569,15 @@
wpa_hexdump(MSG_DEBUG, "P2P: SD Request for ASP", query, query_len);
+ if (query_len < 1) {
+ wpa_printf(MSG_DEBUG, "P2P: ASP bad request");
+ wpas_sd_add_bad_request(resp, P2P_SERV_P2PS, srv_trans_id);
+ return;
+ }
+
+ svc_len = query[0];
+ svc = &query[1];
+
if (!wpa_s->global->p2p) {
wpa_printf(MSG_DEBUG, "P2P: ASP protocol not available");
wpas_sd_add_proto_not_avail(resp, P2P_SERV_P2PS, srv_trans_id);