mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-28 10:18:21 -05:00
wpa_supplicant: Fix buffer overflow in roaming_consortiums
When configuring more than 36 roaming consortiums with SET_CRED, the
stack is smashed. Fix that by correctly verifying the
num_roaming_consortiums.
Fixes: 909a948b
("HS 2.0: Add a new cred block parameter roaming_consortiums")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This commit is contained in:
parent
40432e6eb3
commit
ac0ac1ddfd
@ -3155,14 +3155,16 @@ static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred,
|
||||
}
|
||||
roaming_consortiums_len[num_roaming_consortiums] = len / 2;
|
||||
num_roaming_consortiums++;
|
||||
if (num_roaming_consortiums > MAX_ROAMING_CONS) {
|
||||
|
||||
if (!end)
|
||||
break;
|
||||
|
||||
if (num_roaming_consortiums >= MAX_ROAMING_CONS) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"Too many roaming_consortiums OIs");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!end)
|
||||
break;
|
||||
pos = end + 1;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user