Browse Source

Fixed a buffer overflow in nla_parse call

The first argument (tb) to nla_parse must have room for maxtype+1, not
maxtype, elements.
Jouni Malinen 17 years ago
parent
commit
3f3339dfe7
1 changed files with 1 additions and 1 deletions
  1. 1 1
      hostapd/driver_nl80211.c

+ 1 - 1
hostapd/driver_nl80211.c

@@ -273,7 +273,7 @@ static inline int min_int(int a, int b)
 
 static int get_key_handler(struct nl_msg *msg, void *arg)
 {
-	struct nlattr *tb[NL80211_ATTR_MAX];
+	struct nlattr *tb[NL80211_ATTR_MAX + 1];
 	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
 
 	nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),