wpa_supplicant: Fix buffer overflow in roaming_consortiums

Message ID 1537121956-30754-1-git-send-email-andrei.otcheretianski@intel.com
State Accepted
Headers show
Series
  • wpa_supplicant: Fix buffer overflow in roaming_consortiums
Related show

Commit Message

Andrei Otcheretianski Sept. 16, 2018, 6:19 p.m.
When configuring more than 36 roaming consortiums, the stack is
smashed.
Fix that by correctly verifying the num_roaming_consortiums.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
---
 wpa_supplicant/config.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Comments

Jouni Malinen Oct. 14, 2018, 7:59 p.m. | #1
On Sun, Sep 16, 2018 at 09:19:16PM +0300, Andrei Otcheretianski wrote:
> When configuring more than 36 roaming consortiums, the stack is
> smashed.
> Fix that by correctly verifying the num_roaming_consortiums.

Thanks, applied.

Patch

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index dd7f603..06fe670 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -3155,14 +3155,15 @@  static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred,
 		}
 		roaming_consortiums_len[num_roaming_consortiums] = len / 2;
 		num_roaming_consortiums++;
-		if (num_roaming_consortiums > MAX_ROAMING_CONS) {
+
+		if (!end)
+			break;
+
+		if (num_roaming_consortiums >= MAX_ROAMING_CONS) {
 			wpa_printf(MSG_INFO,
 				   "Too many roaming_consortiums OIs");
 			return -1;
 		}
-
-		if (!end)
-			break;
 		pos = end + 1;
 	}