Message ID | 1412594673-16130-1-git-send-email-toby.gray@realvnc.com |
---|---|
State | Accepted |
Headers | show |
On Mon, Oct 06, 2014 at 12:24:33PM +0100, Toby Gray wrote: > Commit 86bd36f0d5b3d359075c356d68977b4d2e7c9f71 ("Add generic > mechanism for adding vendor elements into frames") has a minor bug > where it miscalculates the length of memory to move using > os_memmove. If multiple vendor elements are specified then this can > lead to out of bounds memory accesses. > > This patch fixes this by calculating the correct length of remaining > data to shift down in the information element. Thanks, applied. I also extended the hwsim test script to check for this. Previously, it was only deleting the first IE and the issue was not triggered.
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index 9d28837..7752132 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -6427,7 +6427,7 @@ static int wpas_ctrl_vendor_elem_remove(struct wpa_supplicant *wpa_s, char *cmd) wpa_s->vendor_elem[frame] = NULL; } else { os_memmove(ie, ie + len, - wpabuf_len(wpa_s->vendor_elem[frame]) - len); + end - (ie + len)); wpa_s->vendor_elem[frame]->used -= len; } os_free(buf);
Commit 86bd36f0d5b3d359075c356d68977b4d2e7c9f71 ("Add generic mechanism for adding vendor elements into frames") has a minor bug where it miscalculates the length of memory to move using os_memmove. If multiple vendor elements are specified then this can lead to out of bounds memory accesses. This patch fixes this by calculating the correct length of remaining data to shift down in the information element. Signed-off-by: Toby Gray <toby.gray@realvnc.com> --- wpa_supplicant/ctrl_iface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)