wpa_supplicant: Fix buffer overflow in roaming_consortiums
When configuring more than 36 roaming consortiums with SET_CRED, the
stack is smashed. Fix that by correctly verifying the
num_roaming_consortiums.
Fixes: 909a948b ("HS 2.0: Add a new cred block parameter roaming_consortiums")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This commit is contained in:
Andrei Otcheretianski
Jouni Malinen
parent
40432e6eb3
commit
ac0ac1ddfd
1 changed files with 5 additions and 3 deletions
|
|
@ -3155,14 +3155,16 @@ static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred,
|
|||
}
|
||||
roaming_consortiums_len[num_roaming_consortiums] = len / 2;
|
||||
num_roaming_consortiums++;
|
||||
if (num_roaming_consortiums > MAX_ROAMING_CONS) {
|
||||
|
||||
if (!end)
|
||||
break;
|
||||
|
||||
if (num_roaming_consortiums >= MAX_ROAMING_CONS) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"Too many roaming_consortiums OIs");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!end)
|
||||
break;
|
||||
pos = end + 1;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue