From: Toby Gray <toby.gray@realvnc.com>
Date: Mon, 6 Oct 2014 11:24:33 +0000 (+0100)
Subject: Fix out of bounds memory access when removing vendor elements
X-Git-Tag: hostap_2_3~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45d8501555455dabce76e4481fc1a446e7c829c4;p=thirdparty%2Fhostap.git

Fix out of bounds memory access when removing vendor elements

Commit 86bd36f0d5b3d359075c356d68977b4d2e7c9f71 ("Add generic
mechanism for adding vendor elements into frames") has a minor bug
where it miscalculates the length of memory to move using
os_memmove. If multiple vendor elements are specified then this can
lead to out of bounds memory accesses.

This patch fixes this by calculating the correct length of remaining
data to shift down in the information element.

Signed-off-by: Toby Gray <toby.gray@realvnc.com>
---

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 54cd1ec3d..98d3ce475 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -6437,7 +6437,7 @@ static int wpas_ctrl_vendor_elem_remove(struct wpa_supplicant *wpa_s, char *cmd)
 			wpa_s->vendor_elem[frame] = NULL;
 		} else {
 			os_memmove(ie, ie + len,
-				   wpabuf_len(wpa_s->vendor_elem[frame]) - len);
+				   end - (ie + len));
 			wpa_s->vendor_elem[frame]->used -= len;
 		}
 		os_free(buf);