Message ID | 1537121956-30754-1-git-send-email-andrei.otcheretianski@intel.com |
---|---|
State | Accepted |
Headers | show |
Series | wpa_supplicant: Fix buffer overflow in roaming_consortiums | expand |
On Sun, Sep 16, 2018 at 09:19:16PM +0300, Andrei Otcheretianski wrote: > When configuring more than 36 roaming consortiums, the stack is > smashed. > Fix that by correctly verifying the num_roaming_consortiums. Thanks, applied.
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index dd7f603..06fe670 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -3155,14 +3155,15 @@ static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred, } roaming_consortiums_len[num_roaming_consortiums] = len / 2; num_roaming_consortiums++; - if (num_roaming_consortiums > MAX_ROAMING_CONS) { + + if (!end) + break; + + if (num_roaming_consortiums >= MAX_ROAMING_CONS) { wpa_printf(MSG_INFO, "Too many roaming_consortiums OIs"); return -1; } - - if (!end) - break; pos = end + 1; }
When configuring more than 36 roaming consortiums, the stack is smashed. Fix that by correctly verifying the num_roaming_consortiums. Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> --- wpa_supplicant/config.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)