From: Andrew McDonnell Date: Thu, 11 Dec 2014 13:47:45 +0000 (+1030) Subject: iwinfo: Fix incorrect buffer allocation in nl80211_get_ifcomb_cb() X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=50370d9e698696770b021caf0b5f6482bacb45ce;p=oweals%2Fiwinfo.git iwinfo: Fix incorrect buffer allocation in nl80211_get_ifcomb_cb() This fixes a buffer overwrite, I found it when building with SSP enabled --- diff --git a/iwinfo_nl80211.c b/iwinfo_nl80211.c index 2731b2b..be58c56 100644 --- a/iwinfo_nl80211.c +++ b/iwinfo_nl80211.c @@ -2446,15 +2446,15 @@ static int nl80211_get_ifcomb_cb(struct nl_msg *msg, void *arg) [NL80211_IFACE_COMB_LIMITS] = { .type = NLA_NESTED }, [NL80211_IFACE_COMB_MAXNUM] = { .type = NLA_U32 }, }; - struct nlattr *tb_comb[NUM_NL80211_IFACE_COMB]; + struct nlattr *tb_comb[NUM_NL80211_IFACE_COMB+1]; static struct nla_policy iface_limit_policy[NUM_NL80211_IFACE_LIMIT] = { [NL80211_IFACE_LIMIT_TYPES] = { .type = NLA_NESTED }, [NL80211_IFACE_LIMIT_MAX] = { .type = NLA_U32 }, }; - struct nlattr *tb_limit[NUM_NL80211_IFACE_LIMIT]; + struct nlattr *tb_limit[NUM_NL80211_IFACE_LIMIT+1]; struct nlattr *limit; - nla_parse_nested(tb_comb, NL80211_BAND_ATTR_MAX, comb, iface_combination_policy); + nla_parse_nested(tb_comb, NUM_NL80211_IFACE_COMB, comb, iface_combination_policy); if (!tb_comb[NL80211_IFACE_COMB_LIMITS]) continue;