gsupplicant: Do not access IE array past end of buffer

author Jukka Rissanen <jukka.rissanen@linux.intel.com>

Wed, 31 Aug 2011 11:50:10 +0000 (14:50 +0300)

committer Samuel Ortiz <sameo@linux.intel.com>

Mon, 12 Sep 2011 09:40:48 +0000 (11:40 +0200)
author Jukka Rissanen <jukka.rissanen@linux.intel.com>
Wed, 31 Aug 2011 11:50:10 +0000 (14:50 +0300)
committer Samuel Ortiz <sameo@linux.intel.com>
Mon, 12 Sep 2011 09:40:48 +0000 (11:40 +0200)
diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c

index e5743f0..2586075 100644 (file)
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -1167,7 +1167,9 @@ static void bss_process_ies(DBusMessageIter *iter, void *user_data)
         if (ie == NULL || ie_len < 2)
                 return;
  
-       for (ie_end = ie+ie_len; ie+ie[1]+1 <= ie_end; ie += ie[1]+2) {
+       for (ie_end = ie + ie_len; ie < ie_end && ie + ie[1] + 1 <= ie_end;
+                                                       ie += ie[1] + 2) {
+
                 if (ie[0] != WMM_WPA1_WPS_INFO || ie[1] < WPS_INFO_MIN_LEN ||
                         memcmp(ie+2, WPS_OUI, sizeof(WPS_OUI)) != 0)
                         continue;
author	Jukka Rissanen <jukka.rissanen@linux.intel.com>
	Wed, 31 Aug 2011 11:50:10 +0000 (14:50 +0300)
committer	Samuel Ortiz <sameo@linux.intel.com>
	Mon, 12 Sep 2011 09:40:48 +0000 (11:40 +0200)