When configuring more than 36 roaming consortiums, the stack is
smashed.
Fix that by correctly verifying the num_roaming_consortiums.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@xxxxxxxxx>
---
wpa_supplicant/config.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index dd7f603..06fe670 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -3155,14 +3155,15 @@ static int wpa_config_set_cred_roaming_consortiums(struct wpa_cred *cred,
}
roaming_consortiums_len[num_roaming_consortiums] = len / 2;
num_roaming_consortiums++;
- if (num_roaming_consortiums > MAX_ROAMING_CONS) {
+
+ if (!end)
+ break;
+
+ if (num_roaming_consortiums >= MAX_ROAMING_CONS) {
wpa_printf(MSG_INFO,
"Too many roaming_consortiums OIs");
return -1;
}
-
- if (!end)
- break;
pos = end + 1;
}
--
2.7.4
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
