[OpenWrt-Devel] [PATCH] iwinfo: Fix incorrect buffer allocation in nl80211_get_ifcomb_cb()
Andrew McDonnell
bugs at andrewmcdonnell.net
Thu Dec 11 08:47:45 EST 2014
This fixes a buffer overwrite, I found it when building with SSP enabled
---
iwinfo_nl80211.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/iwinfo_nl80211.c b/iwinfo_nl80211.c
index 2731b2b..be58c56 100644
--- a/iwinfo_nl80211.c
+++ b/iwinfo_nl80211.c
@@ -2446,15 +2446,15 @@ static int nl80211_get_ifcomb_cb(struct nl_msg *msg, void *arg)
[NL80211_IFACE_COMB_LIMITS] = { .type = NLA_NESTED },
[NL80211_IFACE_COMB_MAXNUM] = { .type = NLA_U32 },
};
- struct nlattr *tb_comb[NUM_NL80211_IFACE_COMB];
+ struct nlattr *tb_comb[NUM_NL80211_IFACE_COMB+1];
static struct nla_policy iface_limit_policy[NUM_NL80211_IFACE_LIMIT] = {
[NL80211_IFACE_LIMIT_TYPES] = { .type = NLA_NESTED },
[NL80211_IFACE_LIMIT_MAX] = { .type = NLA_U32 },
};
- struct nlattr *tb_limit[NUM_NL80211_IFACE_LIMIT];
+ struct nlattr *tb_limit[NUM_NL80211_IFACE_LIMIT+1];
struct nlattr *limit;
- nla_parse_nested(tb_comb, NL80211_BAND_ATTR_MAX, comb, iface_combination_policy);
+ nla_parse_nested(tb_comb, NUM_NL80211_IFACE_COMB, comb, iface_combination_policy);
if (!tb_comb[NL80211_IFACE_COMB_LIMITS])
continue;
--
1.9.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list