projects
/
framework
/
connectivity
/
connman.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(from parent 1:
255e246
)
gsupplicant: Do not access IE array past end of buffer
author
Jukka Rissanen
<jukka.rissanen@linux.intel.com>
Wed, 31 Aug 2011 11:50:10 +0000
(14:50 +0300)
committer
Samuel Ortiz
<sameo@linux.intel.com>
Mon, 12 Sep 2011 09:40:48 +0000
(11:40 +0200)
IE list was traversed past buffer limit in the last round.
gsupplicant/supplicant.c
patch
|
blob
|
history
diff --git
a/gsupplicant/supplicant.c
b/gsupplicant/supplicant.c
index
e5743f0
..
2586075
100644
(file)
--- a/
gsupplicant/supplicant.c
+++ b/
gsupplicant/supplicant.c
@@
-1167,7
+1167,9
@@
static void bss_process_ies(DBusMessageIter *iter, void *user_data)
if (ie == NULL || ie_len < 2)
return;
- for (ie_end = ie+ie_len; ie+ie[1]+1 <= ie_end; ie += ie[1]+2) {
+ for (ie_end = ie + ie_len; ie < ie_end && ie + ie[1] + 1 <= ie_end;
+ ie += ie[1] + 2) {
+
if (ie[0] != WMM_WPA1_WPS_INFO || ie[1] < WPS_INFO_MIN_LEN ||
memcmp(ie+2, WPS_OUI, sizeof(WPS_OUI)) != 0)
continue;