wpa_supplicant: Fix buffer overflow in roaming_consortiums

When configuring more than 36 roaming consortiums with SET_CRED, the
stack is smashed. Fix that by correctly verifying the
num_roaming_consortiums.

Fixes: 909a948b ("HS 2.0: Add a new cred block parameter roaming_consortiums")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This commit is contained in:
Andrei Otcheretianski 2018-09-16 21:19:16 +03:00 committed by Jouni Malinen
parent 40432e6eb3
commit ac0ac1ddfd

View File

@ -3155,14 +3155,16 @@ static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred,
}
roaming_consortiums_len[num_roaming_consortiums] = len / 2;
num_roaming_consortiums++;
if (num_roaming_consortiums > MAX_ROAMING_CONS) {
if (!end)
break;
if (num_roaming_consortiums >= MAX_ROAMING_CONS) {
wpa_printf(MSG_INFO,
"Too many roaming_consortiums OIs");
return -1;
}
if (!end)
break;
pos = end + 1;
}