Cumulative security patch from commit ca68a8b561c48393c8ba25055ce294caaa3ac008
ca68a8b WPS: Explicitly reject Public Key attribute with unexpected length
6b94f71 WPS: Truncate variable length string attributes to maximum length
f4b64c6 Simplify VHT Operation element parsing
d6fefd6 Simplify HT Operation element parsing
40baac0 Simplify VHT Capabilities element parsing
baae4cb Simplify HT Capabilities element parsing
b39a059 Simplify Timeout Interval element parsing
e8997b9 Simplify ERP element parsing
f87c99c Simplify DSSS Parameter Set element parsing
ae7a42b FT: Check FT, MD, and Timeout Interval length in the parser
c9bf7b6 Fix a memory leak on mesh_attr_text() error path
2531036 FT: Fix WMM TSPEC validation in driver-based AP MLME case
632931c P2P: Use WPS_SEC_DEV_TYPE_MAX_LEN in P2P array definition
0f5acfb Use common is_ctrl_char() helper function
5a041ac WPS: Ignore too long SSID attribute
d6c3067 Replace SSID_LEN with SSID_MAX_LEN
eaa8eef Replace MAX_SSID_LEN with SSID_MAX_LEN
81847c2 Replace HOSTAPD_MAX_SSID_LEN with SSID_MAX_LEN
6fb761c Replace WPA_MAX_SSID_LEN with SSID_MAX_LEN
d9d1b95 Use SSID_MAX_LEN define instead of value 32 when comparing SSID length
65b1025 WPS: Ignore too long Device Name attribute
cc6f243 Add WPS_DEV_NAME_MAX_LEN define and use it when comparing length
dd3d857 P2PS: Check for maximum SSID length in Persistent Group Info
05e46a9 Ignore too long SSID element value in parser
90758f0 Mark QCA vendor command id 53 reserved, but not used anymore
f41ded6 Remove unused leftover from multi-SSID design
cb71a83 OpenSSL: Clean up TLS PRF implementation
7f90a23 Add QCA vendor subcmd for OCB
897418a eap_example: Fix configuration by added DH parameters
Change-Id: If688231edfce41163ef0c1f0ad75291a9bdfbe81
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index b4c47e2..46ed5aa 100644
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -652,7 +652,7 @@
MACSTR, MAC2STR(res->bssid));
return;
}
- if (ssid[1] > 32) {
+ if (ssid[1] > SSID_MAX_LEN) {
wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Too long SSID IE included for "
MACSTR, MAC2STR(res->bssid));
return;
@@ -679,7 +679,7 @@
* (to save memory) */
mesh = wpa_scan_get_ie(res, WLAN_EID_MESH_ID);
- if (mesh && mesh[1] <= 32)
+ if (mesh && mesh[1] <= SSID_MAX_LEN)
ssid = mesh;
bss = wpa_bss_get(wpa_s, res->bssid, ssid + 2, ssid[1]);
diff --git a/wpa_supplicant/bss.h b/wpa_supplicant/bss.h
index 634aa3c..b215380 100644
--- a/wpa_supplicant/bss.h
+++ b/wpa_supplicant/bss.h
@@ -69,7 +69,7 @@
/** HESSID */
u8 hessid[ETH_ALEN];
/** SSID */
- u8 ssid[32];
+ u8 ssid[SSID_MAX_LEN];
/** Length of SSID */
size_t ssid_len;
/** Frequency of the channel in MHz (e.g., 2412 = channel 1) */
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index fb539cc..e1f4883 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1814,7 +1814,7 @@
* functions.
*/
static const struct parse_data ssid_fields[] = {
- { STR_RANGE(ssid, 0, MAX_SSID_LEN) },
+ { STR_RANGE(ssid, 0, SSID_MAX_LEN) },
{ INT_RANGE(scan_ssid, 0, 1) },
{ FUNC(bssid) },
{ FUNC(bssid_blacklist) },
@@ -2956,7 +2956,7 @@
if (os_strcmp(var, "excluded_ssid") == 0) {
struct excluded_ssid *e;
- if (len > MAX_SSID_LEN) {
+ if (len > SSID_MAX_LEN) {
wpa_printf(MSG_ERROR, "Line %d: invalid "
"excluded_ssid length %d", line, (int) len);
os_free(val);
@@ -4141,7 +4141,8 @@
{ FUNC_NO_VAR(load_dynamic_eap), 0 },
#ifdef CONFIG_WPS
{ FUNC(uuid), CFG_CHANGED_UUID },
- { STR_RANGE(device_name, 0, 32), CFG_CHANGED_DEVICE_NAME },
+ { STR_RANGE(device_name, 0, WPS_DEV_NAME_MAX_LEN),
+ CFG_CHANGED_DEVICE_NAME },
{ STR_RANGE(manufacturer, 0, 64), CFG_CHANGED_WPS_STRING },
{ STR_RANGE(model_name, 0, 32), CFG_CHANGED_WPS_STRING },
{ STR_RANGE(model_number, 0, 32), CFG_CHANGED_WPS_STRING },
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index 34b754e..16681fd 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -37,6 +37,7 @@
#include "config_ssid.h"
#include "wps/wps.h"
+#include "common/ieee802_11_defs.h"
#include "common/ieee802_11_common.h"
@@ -241,7 +242,7 @@
char *phase2;
struct excluded_ssid {
- u8 ssid[MAX_SSID_LEN];
+ u8 ssid[SSID_MAX_LEN];
size_t ssid_len;
} *excluded_ssid;
size_t num_excluded_ssid;
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 23a37cc..dbb5a47 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -13,8 +13,6 @@
#include "utils/list.h"
#include "eap_peer/eap_config.h"
-#define MAX_SSID_LEN 32
-
#define DEFAULT_EAP_WORKAROUND ((unsigned int) -1)
#define DEFAULT_EAPOL_FLAGS (EAPOL_FLAG_REQUIRE_KEY_UNICAST | \
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index d48ac8a..a6aafee 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -153,7 +153,8 @@
}
ssid = ns;
- if ((end - pos) & 0x01 || end - pos > 2 * 32 ||
+ if ((end - pos) & 0x01 ||
+ end - pos > 2 * SSID_MAX_LEN ||
hexstr2bin(pos, ssid[ssid_count].ssid,
(end - pos) / 2) < 0) {
os_free(ssid);
@@ -1728,7 +1729,7 @@
if (ssid) {
u8 *_ssid = ssid->ssid;
size_t ssid_len = ssid->ssid_len;
- u8 ssid_buf[MAX_SSID_LEN];
+ u8 ssid_buf[SSID_MAX_LEN];
if (ssid_len == 0) {
int _res = wpa_drv_get_ssid(wpa_s, ssid_buf);
if (_res < 0)
@@ -7706,7 +7707,7 @@
if (os_strncmp(cmd, " ssid=", 6) == 0) {
ssid.ssid_len = os_strlen(cmd + 6);
- if (ssid.ssid_len > 32)
+ if (ssid.ssid_len > SSID_MAX_LEN)
return -1;
ssid.ssid = (u8 *) (cmd + 6);
ssid_p = &ssid;
diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
index 66ee32f..d695d1b 100644
--- a/wpa_supplicant/dbus/dbus_new_handlers.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
@@ -1034,10 +1034,10 @@
dbus_message_iter_get_fixed_array(&sub_array_iter, &val, &len);
- if (len > MAX_SSID_LEN) {
+ if (len > SSID_MAX_LEN) {
wpa_printf(MSG_DEBUG,
"%s[dbus]: SSID too long (len=%d max_len=%d)",
- __func__, len, MAX_SSID_LEN);
+ __func__, len, SSID_MAX_LEN);
*reply = wpas_dbus_error_invalid_args(
message, "Invalid SSID: too long");
return -1;
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index fc70035..49faadc 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -158,7 +158,7 @@
static int wpa_supplicant_select_config(struct wpa_supplicant *wpa_s)
{
struct wpa_ssid *ssid, *old_ssid;
- u8 drv_ssid[MAX_SSID_LEN];
+ u8 drv_ssid[SSID_MAX_LEN];
size_t drv_ssid_len;
int res;
diff --git a/wpa_supplicant/hs20_supplicant.c b/wpa_supplicant/hs20_supplicant.c
index b9cd681..98af530 100644
--- a/wpa_supplicant/hs20_supplicant.c
+++ b/wpa_supplicant/hs20_supplicant.c
@@ -46,7 +46,7 @@
struct osu_provider {
u8 bssid[ETH_ALEN];
- u8 osu_ssid[32];
+ u8 osu_ssid[SSID_MAX_LEN];
u8 osu_ssid_len;
char server_uri[256];
u32 osu_methods; /* bit 0 = OMA-DM, bit 1 = SOAP-XML SPP */
@@ -822,7 +822,7 @@
continue;
}
osu_ssid_len = *pos++;
- if (osu_ssid_len > 32) {
+ if (osu_ssid_len > SSID_MAX_LEN) {
wpa_printf(MSG_DEBUG, "HS 2.0: Invalid OSU SSID "
"Length %u", osu_ssid_len);
continue;
diff --git a/wpa_supplicant/mesh.c b/wpa_supplicant/mesh.c
index 33b4af3..ca012e2 100644
--- a/wpa_supplicant/mesh.c
+++ b/wpa_supplicant/mesh.c
@@ -453,22 +453,23 @@
ret = os_snprintf(pos, end - pos, "bss_basic_rate_set=%d",
bss_basic_rate_set[0]);
if (os_snprintf_error(end - pos, ret))
- return pos - buf;
+ goto fail;
pos += ret;
for (i = 1; i < bss_basic_rate_set_len; i++) {
ret = os_snprintf(pos, end - pos, " %d",
bss_basic_rate_set[i]);
if (os_snprintf_error(end - pos, ret))
- return pos - buf;
+ goto fail;
pos += ret;
}
ret = os_snprintf(pos, end - pos, "\n");
if (os_snprintf_error(end - pos, ret))
- return pos - buf;
+ goto fail;
pos += ret;
}
+fail:
os_free(bss_basic_rate_set);
return pos - buf;
diff --git a/wpa_supplicant/mesh_mpm.c b/wpa_supplicant/mesh_mpm.c
index 1d6f2be..b29b5ff 100644
--- a/wpa_supplicant/mesh_mpm.c
+++ b/wpa_supplicant/mesh_mpm.c
@@ -551,8 +551,7 @@
mesh_mpm_init_link(wpa_s, sta);
#ifdef CONFIG_IEEE80211N
- copy_sta_ht_capab(data, sta, elems->ht_capabilities,
- elems->ht_capabilities_len);
+ copy_sta_ht_capab(data, sta, elems->ht_capabilities);
update_ht_state(data, sta);
#endif /* CONFIG_IEEE80211N */
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 5fe4618..9fbc532 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -967,12 +967,12 @@
res = os_snprintf(cmd, sizeof(cmd), "WPS_REG %s %s",
argv[0], argv[1]);
else if (argc == 5 || argc == 6) {
- char ssid_hex[2 * 32 + 1];
+ char ssid_hex[2 * SSID_MAX_LEN + 1];
char key_hex[2 * 64 + 1];
int i;
ssid_hex[0] = '\0';
- for (i = 0; i < 32; i++) {
+ for (i = 0; i < SSID_MAX_LEN; i++) {
if (argv[2][i] == '\0')
break;
os_snprintf(&ssid_hex[i * 2], 3, "%02x", argv[2][i]);
@@ -1096,12 +1096,12 @@
int res;
if (argc == 5 || argc == 6) {
- char ssid_hex[2 * 32 + 1];
+ char ssid_hex[2 * SSID_MAX_LEN + 1];
char key_hex[2 * 64 + 1];
int i;
ssid_hex[0] = '\0';
- for (i = 0; i < 32; i++) {
+ for (i = 0; i < SSID_MAX_LEN; i++) {
if (argv[2][i] == '\0')
break;
os_snprintf(&ssid_hex[i * 2], 3, "%02x", argv[2][i]);
diff --git a/wpa_supplicant/wpa_priv.c b/wpa_supplicant/wpa_priv.c
index ac38d69..6bd60b9 100644
--- a/wpa_supplicant/wpa_priv.c
+++ b/wpa_supplicant/wpa_priv.c
@@ -199,7 +199,7 @@
if (bssid[0] | bssid[1] | bssid[2] | bssid[3] | bssid[4] | bssid[5])
params.bssid = bssid;
params.ssid = assoc->ssid;
- if (assoc->ssid_len > 32)
+ if (assoc->ssid_len > SSID_MAX_LEN)
return;
params.ssid_len = assoc->ssid_len;
params.freq.mode = assoc->hwmode;
@@ -244,7 +244,7 @@
static void wpa_priv_cmd_get_ssid(struct wpa_priv_interface *iface,
struct sockaddr_un *from)
{
- u8 ssid[sizeof(int) + 32];
+ u8 ssid[sizeof(int) + SSID_MAX_LEN];
int res;
if (iface->drv_priv == NULL)
@@ -254,7 +254,7 @@
goto fail;
res = iface->driver->get_ssid(iface->drv_priv, &ssid[sizeof(int)]);
- if (res < 0 || res > 32)
+ if (res < 0 || res > SSID_MAX_LEN)
goto fail;
os_memcpy(ssid, &res, sizeof(int));
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 2ba9c38..b96fd8e 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2872,7 +2872,7 @@
struct wpa_ssid * wpa_supplicant_get_ssid(struct wpa_supplicant *wpa_s)
{
struct wpa_ssid *entry;
- u8 ssid[MAX_SSID_LEN];
+ u8 ssid[SSID_MAX_LEN];
int res;
size_t ssid_len;
u8 bssid[ETH_ALEN];
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 2d517f1..1b9753c 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -369,7 +369,7 @@
};
struct wpa_ssid_value {
- u8 ssid[32];
+ u8 ssid[SSID_MAX_LEN];
size_t ssid_len;
};
@@ -662,7 +662,7 @@
#ifdef CONFIG_SME
struct {
- u8 ssid[32];
+ u8 ssid[SSID_MAX_LEN];
size_t ssid_len;
int freq;
u8 assoc_req_ie[200];
@@ -768,7 +768,7 @@
u8 pending_join_iface_addr[ETH_ALEN];
u8 pending_join_dev_addr[ETH_ALEN];
int pending_join_wps_method;
- u8 p2p_join_ssid[32];
+ u8 p2p_join_ssid[SSID_MAX_LEN];
size_t p2p_join_ssid_len;
int p2p_join_scan_count;
int auto_pd_scan_retry;
diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index eabe986..52594a1 100644
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -1910,7 +1910,7 @@
struct wps_credential *cred)
{
os_memset(cred, 0, sizeof(*cred));
- if (ssid->ssid_len > 32)
+ if (ssid->ssid_len > SSID_MAX_LEN)
return -1;
os_memcpy(cred->ssid, ssid->ssid, ssid->ssid_len);
cred->ssid_len = ssid->ssid_len;