[RFC 38/40] WPS: add WPS Vendor Extension attribute in Beacon Frame

[Jouni Malinen]

On Wed, Jan 05, 2011 at 08:53:34PM +0100, Johannes Berg wrote:
> WPS vendor extension can be set in hapd->conf  structure
> when AP( Group Owner) is configured after p2p groupd has been started.
> WPS vendor extension can also be updated through the
> hostapd_update_wps function call in wps_hostapd.c.
> Number of WPS Vendor Extension is currenlty limited to 1 (defined
> with WPS_MAX_VENDOR_EXTENSIONS_IN_BEACON macro.

Why is this added to WSC IEs in Beacon frames, but not in Probe Response
frames?


> diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c
> @@ -1113,7 +1113,8 @@ static int wps_set_ie(struct wps_registrar *reg)
>  	    wps_build_device_attrs(&reg->wps->dev, probe) ||
>  	    wps_build_probe_config_methods(reg, probe) ||
>  	    wps_build_rf_bands(&reg->wps->dev, probe) ||
> -	    wps_build_wfa_ext(probe, 0, auth_macs, count)) {
> +	    wps_build_wfa_ext(probe, 0, auth_macs, count) ||
> +	    wps_build_vendor_ext(&reg->wps->dev, beacon)) {

This looks like an odd place for adding something to the beacon
wpabuf... This is at the end of Probe Request buffer construction!

Anyway, the worse part here is that there does not seem to be any bounds
checking or code for increasing the size of the beacon wpabuf based on
the length of the vendor extensions. These extensions could be quite
long and will result in wpa_supplicant/hostapd terminating if they go
beyond the 400 octet buffer that is reserved for the WSC IE in this
function..

-- 
Jouni Malinen                                            PGP id EFC895FA