From: Jouni Malinen <jouni@codeaurora.org>
Date: Fri, 24 May 2019 22:29:47 +0000 (+0300)
Subject: WNM: Fix bounds checking in SSID List element matching
X-Git-Tag: hostap_2_9~272
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5bad612311ae6127765002408b3d9e48e7b94da2;p=thirdparty%2Fhostap.git

WNM: Fix bounds checking in SSID List element matching

The IE header length check was off-by-one and that could allow the loop
to read one octet beyond the end of the buffer before breaking out in
the second check.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14927
Fixes: 0a66ce3c49db ("WNM: Add support for SSID List element matching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index 8433fc3a9..d4367bda5 100644
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -595,7 +595,7 @@ static enum ssid_match_result ssid_match(struct hostapd_data *hapd,
 
 	pos = ssid_list;
 	end = ssid_list + ssid_list_len;
-	while (end - pos >= 1) {
+	while (end - pos >= 2) {
 		if (2 + pos[1] > end - pos)
 			break;
 		if (pos[1] == 0)