aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-03-14 11:50:12 (GMT)
committerJouni Malinen <j@w1.fi>2015-03-14 11:50:12 (GMT)
commit319d9daab9bb12f9cd69f7d18bdcead32e482fc8 (patch)
tree297251fc459bf2a5c9b8fc5963ee4c2e0b051fc5
parentde52a2e2594e68c9abe33e31d63677e1c483d35a (diff)
downloadhostap-319d9daab9bb12f9cd69f7d18bdcead32e482fc8.zip
hostap-319d9daab9bb12f9cd69f7d18bdcead32e482fc8.tar.gz
hostap-319d9daab9bb12f9cd69f7d18bdcead32e482fc8.tar.bz2
Fix bitfield_get_first_zero() to not read beyond buffer
It was possible for bitfield_get_first_zero() to read one octet beyond the allocated bit buffer in case the first zero bit was not within size-1 first octets. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/utils/bitfield.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/utils/bitfield.c b/src/utils/bitfield.c
index f90e4be..8dcec39 100644
--- a/src/utils/bitfield.c
+++ b/src/utils/bitfield.c
@@ -76,11 +76,11 @@ static int first_zero(u8 val)
int bitfield_get_first_zero(struct bitfield *bf)
{
size_t i;
- for (i = 0; i <= (bf->max_bits + 7) / 8; i++) {
+ for (i = 0; i < (bf->max_bits + 7) / 8; i++) {
if (bf->bits[i] != 0xff)
break;
}
- if (i > (bf->max_bits + 7) / 8)
+ if (i == (bf->max_bits + 7) / 8)
return -1;
i = i * 8 + first_zero(bf->bits[i]);
if (i >= bf->max_bits)