From: Sabrina Dubroca <sd@queasysnail.net>
Date: Tue, 19 Jul 2016 09:56:56 +0000 (+0200)
Subject: mka: Avoid reading past the end of mka_body_handler
X-Git-Tag: hostap_2_6~144
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ad19e71e6815fd7b3ff5cf73fe1edaaccf8383bc;p=thirdparty%2Fhostap.git

mka: Avoid reading past the end of mka_body_handler

body_type, used to index in mka_body_handler, can be any u8 value, but
we have only ARRAY_SIZE(mka_body_handler) elements.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 51983a44c..8f88207d1 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3057,7 +3057,8 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
 			goto next_para_set;
 
 		handled[body_type] = TRUE;
-		if (mak_body_handler[body_type].body_rx) {
+		if (body_type < ARRAY_SIZE(mak_body_handler) &&
+		    mak_body_handler[body_type].body_rx) {
 			mak_body_handler[body_type].body_rx
 				(participant, pos, left_len);
 		} else {