]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: de52a2e)
Fix bitfield_get_first_zero() to not read beyond buffer
authorJouni Malinen <j@w1.fi>
Sat, 14 Mar 2015 11:50:12 +0000 (13:50 +0200)
committerJouni Malinen <j@w1.fi>
Sat, 14 Mar 2015 11:50:12 +0000 (13:50 +0200)
It was possible for bitfield_get_first_zero() to read one octet beyond
the allocated bit buffer in case the first zero bit was not within
size-1 first octets.

Signed-off-by: Jouni Malinen <j@w1.fi>
src/utils/bitfield.c patch | blob | blame | history

diff --git a/src/utils/bitfield.c b/src/utils/bitfield.c
index f90e4beb61794c6c58ddae332d51c293bcc85155..8dcec3907e9e9be2b329aeedb649af316bd83d03 100644 (file)
--- a/src/utils/bitfield.c
+++ b/src/utils/bitfield.c
@@ -76,11 +76,11 @@ static int first_zero(u8 val)
 int bitfield_get_first_zero(struct bitfield *bf)
 {
        size_t i;
-       for (i = 0; i <= (bf->max_bits + 7) / 8; i++) {
+       for (i = 0; i < (bf->max_bits + 7) / 8; i++) {
                if (bf->bits[i] != 0xff)
                        break;
        }
-       if (i > (bf->max_bits + 7) / 8)
+       if (i == (bf->max_bits + 7) / 8)
                return -1;
        i = i * 8 + first_zero(bf->bits[i]);
        if (i >= bf->max_bits)
Unnamed repository; edit this file 'description' to name the repository.