aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant
diff options
context:
space:
mode:
authorAndrei Otcheretianski <andrei.otcheretianski@intel.com>2018-09-16 18:19:16 (GMT)
committerJouni Malinen <j@w1.fi>2018-10-14 17:47:35 (GMT)
commitac0ac1ddfdf3a68ee386e39fa9821a4dd0a50f6c (patch)
tree5409b9a737ac80ce6bd3571d9a38471f0eda1025 /wpa_supplicant
parent40432e6eb37d62dabbf4416f3062cdf2a2fa1b40 (diff)
downloadhostap-ac0ac1ddfdf3a68ee386e39fa9821a4dd0a50f6c.zip
hostap-ac0ac1ddfdf3a68ee386e39fa9821a4dd0a50f6c.tar.gz
hostap-ac0ac1ddfdf3a68ee386e39fa9821a4dd0a50f6c.tar.bz2
wpa_supplicant: Fix buffer overflow in roaming_consortiums
When configuring more than 36 roaming consortiums with SET_CRED, the stack is smashed. Fix that by correctly verifying the num_roaming_consortiums. Fixes: 909a948b ("HS 2.0: Add a new cred block parameter roaming_consortiums") Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Diffstat (limited to 'wpa_supplicant')
-rw-r--r--wpa_supplicant/config.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index dd7f603..ced77eb 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -3155,14 +3155,16 @@ static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred,
}
roaming_consortiums_len[num_roaming_consortiums] = len / 2;
num_roaming_consortiums++;
- if (num_roaming_consortiums > MAX_ROAMING_CONS) {
+
+ if (!end)
+ break;
+
+ if (num_roaming_consortiums >= MAX_ROAMING_CONS) {
wpa_printf(MSG_INFO,
"Too many roaming_consortiums OIs");
return -1;
}
- if (!end)
- break;
pos = end + 1;
}