Fix out of bounds memory access when removing vendor elements

Commit 86bd36f0d5 ("Add generic
mechanism for adding vendor elements into frames") has a minor bug
where it miscalculates the length of memory to move using
os_memmove. If multiple vendor elements are specified then this can
lead to out of bounds memory accesses.

This patch fixes this by calculating the correct length of remaining
data to shift down in the information element.

Signed-off-by: Toby Gray <toby.gray@realvnc.com>
This commit is contained in:
Toby Gray 2014-10-06 12:24:33 +01:00 committed by Jouni Malinen
parent a61fcc131a
commit 45d8501555

View file

@ -6437,7 +6437,7 @@ static int wpas_ctrl_vendor_elem_remove(struct wpa_supplicant *wpa_s, char *cmd)
wpa_s->vendor_elem[frame] = NULL; wpa_s->vendor_elem[frame] = NULL;
} else { } else {
os_memmove(ie, ie + len, os_memmove(ie, ie + len,
wpabuf_len(wpa_s->vendor_elem[frame]) - len); end - (ie + len));
wpa_s->vendor_elem[frame]->used -= len; wpa_s->vendor_elem[frame]->used -= len;
} }
os_free(buf); os_free(buf);