From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Date: Sun, 16 Sep 2018 18:19:16 +0000 (+0300)
Subject: wpa_supplicant: Fix buffer overflow in roaming_consortiums
X-Git-Tag: hostap_2_7~132
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ac0ac1ddfdf3a68ee386e39fa9821a4dd0a50f6c;p=thirdparty%2Fhostap.git

wpa_supplicant: Fix buffer overflow in roaming_consortiums

When configuring more than 36 roaming consortiums with SET_CRED, the
stack is smashed. Fix that by correctly verifying the
num_roaming_consortiums.

Fixes: 909a948b ("HS 2.0: Add a new cred block parameter roaming_consortiums")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
---

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index dd7f6036c..ced77ebda 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -3155,14 +3155,16 @@ static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred,
 		}
 		roaming_consortiums_len[num_roaming_consortiums] = len / 2;
 		num_roaming_consortiums++;
-		if (num_roaming_consortiums > MAX_ROAMING_CONS) {
+
+		if (!end)
+			break;
+
+		if (num_roaming_consortiums >= MAX_ROAMING_CONS) {
 			wpa_printf(MSG_INFO,
 				   "Too many roaming_consortiums OIs");
 			return -1;
 		}
 
-		if (!end)
-			break;
 		pos = end + 1;
 	}