DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

wpa_supplicant: Fix buffer overflow in roaming_consortiums

Browse source 
When configuring more than 36 roaming consortiums with SET_CRED, the
stack is smashed. Fix that by correctly verifying the
num_roaming_consortiums.

Fixes: 909a948b ("HS 2.0: Add a new cred block parameter roaming_consortiums")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This commit is contained in:
Andrei Otcheretianski 2018-09-16 21:19:16 +03:00 committed by Jouni Malinen
parent 40432e6eb3
commit ac0ac1ddfd
1 changed files with 5 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
wpa_supplicant/config.c
View file

@ -3155,14 +3155,16 @@ static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred,
} }
roaming_consortiums_len[num_roaming_consortiums] = len / 2; roaming_consortiums_len[num_roaming_consortiums] = len / 2;
num_roaming_consortiums++; num_roaming_consortiums++;
if (num_roaming_consortiums > MAX_ROAMING_CONS) {
if (!end)
break;
if (num_roaming_consortiums >= MAX_ROAMING_CONS) {
wpa_printf(MSG_INFO, wpa_printf(MSG_INFO,
"Too many roaming_consortiums OIs"); "Too many roaming_consortiums OIs");
return -1; return -1;
} }
if (!end)
break;
pos = end + 1; pos = end + 1;
} }