[PATCH] Fix out of bounds memory access when removing vendor elements.
Jouni Malinen
j
Mon Oct 6 15:36:18 PDT 2014
On Mon, Oct 06, 2014 at 12:24:33PM +0100, Toby Gray wrote:
> Commit 86bd36f0d5b3d359075c356d68977b4d2e7c9f71 ("Add generic
> mechanism for adding vendor elements into frames") has a minor bug
> where it miscalculates the length of memory to move using
> os_memmove. If multiple vendor elements are specified then this can
> lead to out of bounds memory accesses.
>
> This patch fixes this by calculating the correct length of remaining
> data to shift down in the information element.
Thanks, applied. I also extended the hwsim test script to check for
this. Previously, it was only deleting the first IE and the issue was
not triggered.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list