Fix out of bounds memory access when removing vendor elements

Commit 86bd36f0d5b3d359075c356d68977b4d2e7c9f71 ("Add generic
mechanism for adding vendor elements into frames") has a minor bug
where it miscalculates the length of memory to move using
os_memmove. If multiple vendor elements are specified then this can
lead to out of bounds memory accesses.

This patch fixes this by calculating the correct length of remaining
data to shift down in the information element.

Signed-off-by: Toby Gray <toby.gray@realvnc.com>

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 54cd1ec3d74ca7c3ad55d212c7f23aac34724923..98d3ce475586c09b4c84d21df1eaf7618e6f997a 100644 (file)
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -6437,7 +6437,7 @@ static int wpas_ctrl_vendor_elem_remove(struct wpa_supplicant *wpa_s, char *cmd)
                        wpa_s->vendor_elem[frame] = NULL;
                } else {
                        os_memmove(ie, ie + len,
-                                  wpabuf_len(wpa_s->vendor_elem[frame]) - len);
+                                  end - (ie + len));
                        wpa_s->vendor_elem[frame]->used -= len;
                }
                os_free(buf);