3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-26 10:39:23 +01:00

ie: Add additional boundary checking

==20758== Invalid read of size 1
==20758==    at 0x401254: ie_tlv_iter_next (ie.c:55)
==20758==    by 0x40104B: ie_test (test-ie.c:57)
==20758==    by 0x4021C0: l_test_run (test.c:83)
==20758==    by 0x4011B7: main (test-ie.c:123)
==20758==  Address 0x51e10f3 is 0 bytes after a block of size 19 alloc'd
==20758==    at 0x4C2C874: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20758==    by 0x4010CF: append_data (test-ie.c:101)
==20758==    by 0x40118F: main (test-ie.c:119)
==20758==
==20758== Invalid read of size 1
==20758==    at 0x401266: ie_tlv_iter_next (ie.c:56)
==20758==    by 0x40104B: ie_test (test-ie.c:57)
==20758==    by 0x4021C0: l_test_run (test.c:83)
==20758==    by 0x4011B7: main (test-ie.c:123)
==20758==  Address 0x51e10f4 is 1 bytes after a block of size 19 alloc'd
==20758==    at 0x4C2C874: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20758==    by 0x4010CF: append_data (test-ie.c:101)
==20758==    by 0x40118F: main (test-ie.c:119)
This commit is contained in:
Denis Kenzior 2014-07-15 19:07:05 -05:00
parent 5cf28c6dc7
commit 119a1e7de3

View File

@ -49,6 +49,9 @@ bool ie_tlv_iter_next(struct ie_tlv_iter *iter)
unsigned int tag; unsigned int tag;
unsigned int len; unsigned int len;
if (iter->pos >= iter->max)
return false;
tag = *tlv++; tag = *tlv++;
len = *tlv++; len = *tlv++;