[PATCH] wpa_supplicant: Check length when building ext_cabality in assoc_cb
Andrei Otcheretianski
andrei.otcheretianski at intel.com
Mon Aug 21 09:36:25 PDT 2017
From: Adiel Aloni <adiel.aloni at intel.com>
When building wpa_ie in wpas_start_assoc_cb with ext_capab,
make sure that assignment does not exceed max_wpa_ie_len.
Signed-off-by: Adiel Aloni <adiel.aloni at intel.com>
---
wpa_supplicant/wpa_supplicant.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 4932fa8..9daf172 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2567,7 +2567,8 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
int ext_capab_len;
ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
sizeof(ext_capab));
- if (ext_capab_len > 0) {
+ if (ext_capab_len > 0 &&
+ (wpa_ie_len + ext_capab_len) <= max_wpa_ie_len) {
u8 *pos = wpa_ie;
if (wpa_ie_len > 0 && pos[0] == WLAN_EID_RSN)
pos += 2 + pos[1];
--
2.7.4
More information about the Hostap
mailing list