[PATCH] Using wpa_psk_radius=3 can lead to malformed RADIUS packets that do not conform to the standard for "Long Extended Type" as defined in RFC 6929.

[Kellen Gattis]

This was observed when using wpa_psk_radius=3 in conjunction with
wpa_key_mgmt=WPA-PSK FT-PSK that resulted in a RADIUS attribute for
245.26.11344.2 that was 256 octets in size.  The expected outcome was
two fragments containing data sizes of 251 and 5 octets, but hostapd
instead created a fragment of 256 octets (exceeded the size limit)
followed by a fragment of 5 octets.

This patch will make it so the fragments preceding the final fragment
will have the correct data size by using alen instead of data_len when
running wpabuf_put_data.

Signed-off-by: Kellen Gattis <k3113n6 at gmail.com>
---
 src/radius/radius.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/radius/radius.c b/src/radius/radius.c
index 029e6223c..40c037dcc 100644
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -807,7 +807,7 @@ struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u16 type,
 			ext->length = sizeof(*ext) + 1 + alen;
 			ext->ext_type = ext_type;
 			wpabuf_put_u8(msg->buf, data_len > alen ? 0x80 : 0);
-			wpabuf_put_data(msg->buf, data, data_len);
+			wpabuf_put_data(msg->buf, data, alen);
 			data += alen;
 			data_len -= alen;
 			if (radius_msg_add_attr_to_array(
-- 
2.49.0