From 66c227b9cc955edf2c930d06c32fe248f67c49f6 Mon Sep 17 00:00:00 2001
From: maoyufeng <maoyufeng3@huawei.com>
Date: Tue, 24 Aug 2021 09:45:26 +0800
Subject: [PATCH] ing of secondary device types for P2P group client Parsing
 and copying of WPS secondary device types list was verifying that the
 contents is not too long for the internal maximum in the case of WPS
 messages, but similar validation was missing from the case of P2P group
 information which encodes this information in a different attribute. This
 could result in writing beyond the memory area assigned for these entries and
 corrupting memory within an instance of struct p2p_device. This could result
 in invalid operations and unexpected behavior when trying to free pointers
 from that corrupted memory.

CRs-Fixed: 2823861
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")

Signed-off-by: maoyufeng <maoyufeng3@huawei.com>
---
 wpa_supplicant-2.9/src/p2p/p2p.c          | 2 ++
 wpa_supplicant-2.9_standard/src/p2p/p2p.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/wpa_supplicant-2.9/src/p2p/p2p.c b/wpa_supplicant-2.9/src/p2p/p2p.c
index 9bbb91e..286a959 100755
--- a/wpa_supplicant-2.9/src/p2p/p2p.c
+++ b/wpa_supplicant-2.9/src/p2p/p2p.c
@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
 	dev->info.config_methods = cli->config_methods;
 	os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
 	dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+	if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+		dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
 	os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
 		  dev->info.wps_sec_dev_type_list_len);
 }
diff --git a/wpa_supplicant-2.9_standard/src/p2p/p2p.c b/wpa_supplicant-2.9_standard/src/p2p/p2p.c
index 9bbb91e..286a959 100644
--- a/wpa_supplicant-2.9_standard/src/p2p/p2p.c
+++ b/wpa_supplicant-2.9_standard/src/p2p/p2p.c
@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
 	dev->info.config_methods = cli->config_methods;
 	os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
 	dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+	if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+		dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
 	os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
 		  dev->info.wps_sec_dev_type_list_len);
 }
-- 
Gitee