From 5bad612311ae6127765002408b3d9e48e7b94da2 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 25 May 2019 01:29:47 +0300 Subject: [PATCH] WNM: Fix bounds checking in SSID List element matching The IE header length check was off-by-one and that could allow the loop to read one octet beyond the end of the buffer before breaking out in the second check. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14927 Fixes: 0a66ce3c49db ("WNM: Add support for SSID List element matching") Signed-off-by: Jouni Malinen --- src/ap/beacon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ap/beacon.c b/src/ap/beacon.c index 8433fc3a9..d4367bda5 100644 --- a/src/ap/beacon.c +++ b/src/ap/beacon.c @@ -595,7 +595,7 @@ static enum ssid_match_result ssid_match(struct hostapd_data *hapd, pos = ssid_list; end = ssid_list + ssid_list_len; - while (end - pos >= 1) { + while (end - pos >= 2) { if (2 + pos[1] > end - pos) break; if (pos[1] == 0)