Fix out of bounds memory access when removing vendor elements
Commit 86bd36f0d5
("Add generic
mechanism for adding vendor elements into frames") has a minor bug
where it miscalculates the length of memory to move using
os_memmove. If multiple vendor elements are specified then this can
lead to out of bounds memory accesses.
This patch fixes this by calculating the correct length of remaining
data to shift down in the information element.
Signed-off-by: Toby Gray <toby.gray@realvnc.com>
This commit is contained in:
parent
a61fcc131a
commit
45d8501555
1 changed files with 1 additions and 1 deletions
|
@ -6437,7 +6437,7 @@ static int wpas_ctrl_vendor_elem_remove(struct wpa_supplicant *wpa_s, char *cmd)
|
||||||
wpa_s->vendor_elem[frame] = NULL;
|
wpa_s->vendor_elem[frame] = NULL;
|
||||||
} else {
|
} else {
|
||||||
os_memmove(ie, ie + len,
|
os_memmove(ie, ie + len,
|
||||||
wpabuf_len(wpa_s->vendor_elem[frame]) - len);
|
end - (ie + len));
|
||||||
wpa_s->vendor_elem[frame]->used -= len;
|
wpa_s->vendor_elem[frame]->used -= len;
|
||||||
}
|
}
|
||||||
os_free(buf);
|
os_free(buf);
|
||||||
|
|
Loading…
Reference in a new issue