Fix bitfield_get_first_zero() to not read beyond buffer

It was possible for bitfield_get_first_zero() to read one octet beyond
the allocated bit buffer in case the first zero bit was not within
size-1 first octets.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-03-14 13:50:12 +02:00
parent de52a2e259
commit 319d9daab9

View file

@ -76,11 +76,11 @@ static int first_zero(u8 val)
int bitfield_get_first_zero(struct bitfield *bf) int bitfield_get_first_zero(struct bitfield *bf)
{ {
size_t i; size_t i;
for (i = 0; i <= (bf->max_bits + 7) / 8; i++) { for (i = 0; i < (bf->max_bits + 7) / 8; i++) {
if (bf->bits[i] != 0xff) if (bf->bits[i] != 0xff)
break; break;
} }
if (i > (bf->max_bits + 7) / 8) if (i == (bf->max_bits + 7) / 8)
return -1; return -1;
i = i * 8 + first_zero(bf->bits[i]); i = i * 8 + first_zero(bf->bits[i]);
if (i >= bf->max_bits) if (i >= bf->max_bits)