From ac0ac1ddfdf3a68ee386e39fa9821a4dd0a50f6c Mon Sep 17 00:00:00 2001
From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Date: Sun, 16 Sep 2018 21:19:16 +0300
Subject: [PATCH] wpa_supplicant: Fix buffer overflow in roaming_consortiums

When configuring more than 36 roaming consortiums with SET_CRED, the
stack is smashed. Fix that by correctly verifying the
num_roaming_consortiums.

Fixes: 909a948b ("HS 2.0: Add a new cred block parameter roaming_consortiums")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
---
 wpa_supplicant/config.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index dd7f6036c..ced77ebda 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -3155,14 +3155,16 @@ static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred,
 		}
 		roaming_consortiums_len[num_roaming_consortiums] = len / 2;
 		num_roaming_consortiums++;
-		if (num_roaming_consortiums > MAX_ROAMING_CONS) {
+
+		if (!end)
+			break;
+
+		if (num_roaming_consortiums >= MAX_ROAMING_CONS) {
 			wpa_printf(MSG_INFO,
 				   "Too many roaming_consortiums OIs");
 			return -1;
 		}
 
-		if (!end)
-			break;
 		pos = end + 1;
 	}