From: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Date: Wed, 31 Aug 2011 11:50:10 +0000 (+0300)
Subject: gsupplicant: Do not access IE array past end of buffer
X-Git-Tag: 0.78~267
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=99e97f3a44ed1efc7d5070eb5366eef59040318a;p=platform%2Fupstream%2Fconnman.git

gsupplicant: Do not access IE array past end of buffer

IE list was traversed past buffer limit in the last round.
---

diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
index e5743f0..2586075 100644
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -1167,7 +1167,9 @@ static void bss_process_ies(DBusMessageIter *iter, void *user_data)
 	if (ie == NULL || ie_len < 2)
 		return;
 
-	for (ie_end = ie+ie_len; ie+ie[1]+1 <= ie_end; ie += ie[1]+2) {
+	for (ie_end = ie + ie_len; ie < ie_end && ie + ie[1] + 1 <= ie_end;
+							ie += ie[1] + 2) {
+
 		if (ie[0] != WMM_WPA1_WPS_INFO || ie[1] < WPS_INFO_MIN_LEN ||
 			memcmp(ie+2, WPS_OUI, sizeof(WPS_OUI)) != 0)
 			continue;