From b48f6b7cc401dbbd524403d86e2e161c0d01199a Mon Sep 17 00:00:00 2001 From: Janusz Dziedzic <janusz.dziedzic@iopsys.eu> Date: Thu, 10 Feb 2022 14:39:38 +0100 Subject: [PATCH] check channel preference report Check if we don't pass tlv length. Signed-off-by: Janusz Dziedzic <janusz.dziedzic@iopsys.eu> --- src/cntlr_map.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/cntlr_map.c b/src/cntlr_map.c index 5a7e65db..218148a9 100644 --- a/src/cntlr_map.c +++ b/src/cntlr_map.c @@ -958,13 +958,24 @@ int handle_channel_pref_report(void *cntlr, struct cmdu_buff *cmdu) idx = 0; while (tv[0][idx]) { - struct tlv *t = (struct tlv *)tv[0][idx++]; + struct tlv *t; + uint16_t t_len; uint8_t mac[6] = { 0 }; int num_opclass; + t = (struct tlv *) tv[0][idx]; + t_len = tlv_length(tv[0][idx]); + idx++; + offset = 0; + + if (WARN_ON(offset + 6 > t_len)) + continue; memcpy(mac, &t->data[offset], 6); offset += 6; + + if (WARN_ON(offset + 1 > t_len)) + continue; num_opclass = t->data[offset++]; radio = find_radio_by_node(cntlr, node, mac); @@ -980,8 +991,13 @@ int handle_channel_pref_report(void *cntlr, struct cmdu_buff *cmdu) uint8_t preference; uint8_t channel; + if (WARN_ON(offset + 2 > t_len)) + break; opclass = t->data[offset++]; num_channel = t->data[offset++]; + + if (WARN_ON(offset + num_channel + 1 > t_len)) + break; preference = t->data[offset + num_channel]; for (j = 0; j < num_channel; j++) { -- GitLab