[PATCH] Fix out of bounds memory access when removing vendor elements.

Jouni Malinen j at w1.fi
Mon Oct 6 18:36:18 EDT 2014


On Mon, Oct 06, 2014 at 12:24:33PM +0100, Toby Gray wrote:
> Commit 86bd36f0d5b3d359075c356d68977b4d2e7c9f71 ("Add generic
> mechanism for adding vendor elements into frames") has a minor bug
> where it miscalculates the length of memory to move using
> os_memmove. If multiple vendor elements are specified then this can
> lead to out of bounds memory accesses.
> 
> This patch fixes this by calculating the correct length of remaining
> data to shift down in the information element.

Thanks, applied. I also extended the hwsim test script to check for
this. Previously, it was only deleting the first IE and the issue was
not triggered.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list