gsupplicant: Do not access IE array past end of buffer

IE list was traversed past buffer limit in the last round.
author: Jukka Rissanen <jukka.rissanen@linux.intel.com> 2011-08-31 14:50:10 +0300
committer: Samuel Ortiz <sameo@linux.intel.com> 2011-09-12 11:40:48 +0200
commit: 99e97f3a44ed1efc7d5070eb5366eef59040318a (patch)
tree: e928f038edce2a7984fe1040a49fda697a3f4b11 /gsupplicant
parent: 255e2467b162c5514229deb2b12070793ba7eeb4 (diff)
download: connman-99e97f3a44ed1efc7d5070eb5366eef59040318a.tar.gz
connman-99e97f3a44ed1efc7d5070eb5366eef59040318a.tar.bz2
connman-99e97f3a44ed1efc7d5070eb5366eef59040318a.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
index e5743f01..2586075d 100644
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -1167,7 +1167,9 @@ static void bss_process_ies(DBusMessageIter *iter, void *user_data)
 	if (ie == NULL || ie_len < 2)
 		return;
 
-	for (ie_end = ie+ie_len; ie+ie[1]+1 <= ie_end; ie += ie[1]+2) {
+	for (ie_end = ie + ie_len; ie < ie_end && ie + ie[1] + 1 <= ie_end;
+							ie += ie[1] + 2) {
+
 		if (ie[0] != WMM_WPA1_WPS_INFO || ie[1] < WPS_INFO_MIN_LEN ||
 			memcmp(ie+2, WPS_OUI, sizeof(WPS_OUI)) != 0)
 			continue;
author	Jukka Rissanen <jukka.rissanen@linux.intel.com>	2011-08-31 14:50:10 +0300
committer	Samuel Ortiz <sameo@linux.intel.com>	2011-09-12 11:40:48 +0200
commit	99e97f3a44ed1efc7d5070eb5366eef59040318a (patch)
tree	e928f038edce2a7984fe1040a49fda697a3f4b11 /gsupplicant
parent	255e2467b162c5514229deb2b12070793ba7eeb4 (diff)
download	connman-99e97f3a44ed1efc7d5070eb5366eef59040318a.tar.gz connman-99e97f3a44ed1efc7d5070eb5366eef59040318a.tar.bz2 connman-99e97f3a44ed1efc7d5070eb5366eef59040318a.zip