DGNum/iwinfo
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

iwinfo: Fix incorrect buffer allocation in nl80211_get_ifcomb_cb()

Browse source 
This fixes a buffer overwrite, I found it when building with SSP enabled
This commit is contained in:
Andrew McDonnell 2014-12-12 00:17:45 +10:30 committed by John Crispin
parent d5dc3d0605
commit 50370d9e69
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
iwinfo_nl80211.c
View file

@ -2446,15 +2446,15 @@ static int nl80211_get_ifcomb_cb(struct nl_msg *msg, void *arg)
[NL80211_IFACE_COMB_LIMITS] = { .type = NLA_NESTED }, [NL80211_IFACE_COMB_LIMITS] = { .type = NLA_NESTED },
[NL80211_IFACE_COMB_MAXNUM] = { .type = NLA_U32 }, [NL80211_IFACE_COMB_MAXNUM] = { .type = NLA_U32 },
}; };
struct nlattr *tb_comb[NUM_NL80211_IFACE_COMB]; struct nlattr *tb_comb[NUM_NL80211_IFACE_COMB+1];
static struct nla_policy iface_limit_policy[NUM_NL80211_IFACE_LIMIT] = { static struct nla_policy iface_limit_policy[NUM_NL80211_IFACE_LIMIT] = {
[NL80211_IFACE_LIMIT_TYPES] = { .type = NLA_NESTED }, [NL80211_IFACE_LIMIT_TYPES] = { .type = NLA_NESTED },
[NL80211_IFACE_LIMIT_MAX] = { .type = NLA_U32 }, [NL80211_IFACE_LIMIT_MAX] = { .type = NLA_U32 },
}; };
struct nlattr *tb_limit[NUM_NL80211_IFACE_LIMIT]; struct nlattr *tb_limit[NUM_NL80211_IFACE_LIMIT+1];
struct nlattr *limit; struct nlattr *limit;
nla_parse_nested(tb_comb, NL80211_BAND_ATTR_MAX, comb, iface_combination_policy); nla_parse_nested(tb_comb, NUM_NL80211_IFACE_COMB, comb, iface_combination_policy);
if (!tb_comb[NL80211_IFACE_COMB_LIMITS]) if (!tb_comb[NL80211_IFACE_COMB_LIMITS])
continue; continue;