WNM: Fix bounds checking in SSID List element matching

The IE header length check was off-by-one and that could allow the loop
to read one octet beyond the end of the buffer before breaking out in
the second check.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14927
Fixes: 0a66ce3c49db ("WNM: Add support for SSID List element matching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index 8433fc3a98db375c55a44fa66ecd491491a0a8b4..d4367bda523b7d684ca9bc327b7912842f505ac6 100644 (file)
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -595,7 +595,7 @@ static enum ssid_match_result ssid_match(struct hostapd_data *hapd,
 
        pos = ssid_list;
        end = ssid_list + ssid_list_len;
-       while (end - pos >= 1) {
+       while (end - pos >= 2) {
                if (2 + pos[1] > end - pos)
                        break;
                if (pos[1] == 0)