From: Jouni Malinen Date: Fri, 6 Jun 2008 13:51:17 +0000 (+0300) Subject: Fixed a buffer overflow in nla_parse call X-Git-Tag: hostap_0_6_4~34 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=libeap.git;a=commitdiff_plain;h=3f3339dfe736c051ea80ef5a24bd1651e397224c Fixed a buffer overflow in nla_parse call The first argument (tb) to nla_parse must have room for maxtype+1, not maxtype, elements. --- diff --git a/hostapd/driver_nl80211.c b/hostapd/driver_nl80211.c index a1a5094..9aaab60 100644 --- a/hostapd/driver_nl80211.c +++ b/hostapd/driver_nl80211.c @@ -273,7 +273,7 @@ static inline int min_int(int a, int b) static int get_key_handler(struct nl_msg *msg, void *arg) { - struct nlattr *tb[NL80211_ATTR_MAX]; + struct nlattr *tb[NL80211_ATTR_MAX + 1]; struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),