]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 40432e6)
wpa_supplicant: Fix buffer overflow in roaming_consortiums
authorAndrei Otcheretianski <andrei.otcheretianski@intel.com>
Sun, 16 Sep 2018 18:19:16 +0000 (21:19 +0300)
committerJouni Malinen <j@w1.fi>
Sun, 14 Oct 2018 17:47:35 +0000 (20:47 +0300)
When configuring more than 36 roaming consortiums with SET_CRED, the
stack is smashed. Fix that by correctly verifying the
num_roaming_consortiums.

Fixes: 909a948b ("HS 2.0: Add a new cred block parameter roaming_consortiums")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
wpa_supplicant/config.c patch | blob | blame | history

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index dd7f6036c89aa594ae94761e5bf37d32a8d72000..ced77ebdaae00b2d8935979995f6ff34eba9769a 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -3155,14 +3155,16 @@ static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred,
                }
                roaming_consortiums_len[num_roaming_consortiums] = len / 2;
                num_roaming_consortiums++;
-               if (num_roaming_consortiums > MAX_ROAMING_CONS) {
+
+               if (!end)
+                       break;
+
+               if (num_roaming_consortiums >= MAX_ROAMING_CONS) {
                        wpa_printf(MSG_INFO,
                                   "Too many roaming_consortiums OIs");
                        return -1;
                }
 
-               if (!end)
-                       break;
                pos = end + 1;
        }
 
Unnamed repository; edit this file 'description' to name the repository.