From 45d8501555455dabce76e4481fc1a446e7c829c4 Mon Sep 17 00:00:00 2001 From: Toby Gray Date: Mon, 6 Oct 2014 12:24:33 +0100 Subject: [PATCH] Fix out of bounds memory access when removing vendor elements Commit 86bd36f0d5b3d359075c356d68977b4d2e7c9f71 ("Add generic mechanism for adding vendor elements into frames") has a minor bug where it miscalculates the length of memory to move using os_memmove. If multiple vendor elements are specified then this can lead to out of bounds memory accesses. This patch fixes this by calculating the correct length of remaining data to shift down in the information element. Signed-off-by: Toby Gray --- wpa_supplicant/ctrl_iface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index 54cd1ec3d..98d3ce475 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -6437,7 +6437,7 @@ static int wpas_ctrl_vendor_elem_remove(struct wpa_supplicant *wpa_s, char *cmd) wpa_s->vendor_elem[frame] = NULL; } else { os_memmove(ie, ie + len, - wpabuf_len(wpa_s->vendor_elem[frame]) - len); + end - (ie + len)); wpa_s->vendor_elem[frame]->used -= len; } os_free(buf);