[PATCH 6/8] mka: avoid reading past the end of mka_body_handler
Sabrina Dubroca
sd at queasysnail.net
Tue Jul 19 02:56:56 PDT 2016
body_type, used to index in mka_body_handler, can be any u8 value, but
we have only ARRAY_SIZE(mka_body_handler) elements.
Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
---
src/pae/ieee802_1x_kay.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 5b4e05a25c61..4c050eb9866a 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3053,7 +3053,8 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
goto next_para_set;
handled[body_type] = TRUE;
- if (mak_body_handler[body_type].body_rx) {
+ if (body_type < ARRAY_SIZE(mak_body_handler) &&
+ mak_body_handler[body_type].body_rx) {
mak_body_handler[body_type].body_rx
(participant, pos, left_len);
} else {
--
2.9.0
More information about the Hostap
mailing list