Fix bitfield_get_first_zero() to not read beyond buffer
It was possible for bitfield_get_first_zero() to read one octet beyond the allocated bit buffer in case the first zero bit was not within size-1 first octets. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
de52a2e259
commit
319d9daab9
1 changed files with 2 additions and 2 deletions
|
@ -76,11 +76,11 @@ static int first_zero(u8 val)
|
||||||
int bitfield_get_first_zero(struct bitfield *bf)
|
int bitfield_get_first_zero(struct bitfield *bf)
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
for (i = 0; i <= (bf->max_bits + 7) / 8; i++) {
|
for (i = 0; i < (bf->max_bits + 7) / 8; i++) {
|
||||||
if (bf->bits[i] != 0xff)
|
if (bf->bits[i] != 0xff)
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (i > (bf->max_bits + 7) / 8)
|
if (i == (bf->max_bits + 7) / 8)
|
||||||
return -1;
|
return -1;
|
||||||
i = i * 8 + first_zero(bf->bits[i]);
|
i = i * 8 + first_zero(bf->bits[i]);
|
||||||
if (i >= bf->max_bits)
|
if (i >= bf->max_bits)
|
||||||
|
|
Loading…
Reference in a new issue