RE: [PATCH 3/9] WNM: Fix candidates count in BSS Transition Management request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: Jouni Malinen [mailto:j@xxxxx]
> Sent: Thursday, March 03, 2016 17:28
> To: Peer, Ilan
> Cc: hostap@xxxxxxxxxxxxxxxxxxx; Stern, Avraham
> Subject: Re: [PATCH 3/9] WNM: Fix candidates count in BSS Transition
> Management request
> 
> On Mon, Feb 29, 2016 at 02:29:59PM +0200, Ilan Peer wrote:
> > In BSS transition management request, it is possible that vendor
> > specific IEs are included after the candidate list. In this case the
> > candidates count is incremented although the candidate list is already
> > over, which may result in accessing uninitialized data.
> 
> This is obviously a bug, but I don't see where the accessing of uninitialized
> data would occur in the traditional sense of "uninitialized". The wpa_s-
> >wnm_neighbor_report_elements array is initialized to all zeros (os_calloc)
> and an extra IE in the end of the frame would result in an extra neighbor list
> entry due to the count incremented, but that entry would be all zeros (for
> BSSID
> 00:00:00:00:00:00 and without any extra information).
> 

Agree. This was an inadequate choice of words :)

Ilan.

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux