[1/4] monitor: fix buffer overrun parsing country IE

Commit Message

James Prestwood Dec. 30, 2022, 12:24 a.m. UTC

The country IE can sometimes have a zero pad byte at the end for
alignment. This was not being checked for which caused the loop
to go past the end of the IE and print an entry for channel 0
(the pad byte) plus some garbage data.

Fix this by checking for the pad byte explicitly which skips the
print and terminates the loop.
---
 monitor/nlmon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Denis Kenzior Dec. 30, 2022, 6:05 p.m. UTC | #1

Hi James,

On 12/29/22 18:24, James Prestwood wrote:
> The country IE can sometimes have a zero pad byte at the end for
> alignment. This was not being checked for which caused the loop
> to go past the end of the IE and print an entry for channel 0
> (the pad byte) plus some garbage data.
> 
> Fix this by checking for the pad byte explicitly which skips the
> print and terminates the loop.
> ---
>   monitor/nlmon.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

All applied, thanks.

Regards,
-Denis

Patch

diff --git a/monitor/nlmon.c b/monitor/nlmon.c
index 9694cfd1..652dea96 100644
--- a/monitor/nlmon.c
+++ b/monitor/nlmon.c
@@ -494,7 +494,7 @@  static void print_ie_country(unsigned int level, const char *label,
 			if (code[i + 2] < 32)
 				print_attr(level + 1, "%27c (air propagation "
 					"time %2d µs)", ' ', 3 * code[i + 2]);
-		} else {
+		} else if (code[i] != 0) {
 			print_attr(level + 1, "First channel %3d number of "
 				"channels %2d max tx power %2d dBm",
 				code[i], code[i + 1], code[i + 2]);