Re: [PATCH 3/9] WNM: Fix candidates count in BSS Transition Management request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 29, 2016 at 02:29:59PM +0200, Ilan Peer wrote:
> In BSS transition management request, it is possible that vendor specific IEs
> are included after the candidate list. In this case the candidates count is
> incremented although the candidate list is already over, which may result in
> accessing uninitialized data.

This is obviously a bug, but I don't see where the accessing of
uninitialized data would occur in the traditional sense of
"uninitialized". The wpa_s->wnm_neighbor_report_elements array is
initialized to all zeros (os_calloc) and an extra IE in the end of the
frame would result in an extra neighbor list entry due to the count
incremented, but that entry would be all zeros (for BSSID
00:00:00:00:00:00 and without any extra information).

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux