[wpa_supplicant] Fix out of bounds read at src/ap/ieee802_11.c:3825
Fix out of bounds read in hostapd at external/wpa_supplicant_8/src/ap/ieee802_11.c:3825
Bug: 122529021
Test: Toggle Soft AP on/off
Test: Associate to Soft AP with a STA and run traffic
Change-Id: I6a779969790ebf1f58d057bb03215b14b2c03bff
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index d2d6b17..90788de 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4056,6 +4056,18 @@
u16 auth_alg, auth_transaction, status_code;
struct sta_info *sta;
+ if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
+ wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
+ (unsigned long) len);
+
+ /*
+ * Initialize status_code here because we are not able to read
+ * it from the short payload.
+ */
+ status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ goto fail;
+ }
+
sta = ap_get_sta(hapd, mgmt->da);
if (!sta) {
wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
@@ -4075,12 +4087,6 @@
goto fail;
}
- if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
- wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
- (unsigned long) len);
- goto fail;
- }
-
if (status_code == WLAN_STATUS_SUCCESS &&
((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
(auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {