Crash while hs20=1 in wpa_supplicant.conf

[Jouni Malinen]

On Tue, Feb 05, 2013 at 07:40:39PM +0530, Shyam wrote:
> I noticed a crash when I enabled hs20=1 in conf file of the
> supplicant. The crash referred to the bad address being accessed.
> I took a look at the scan.c file, the buffer resize happens for 6
> whereas the function wpas_hs20_add_indication adds 7 bytes of
> information.
> 
>         if (wpa_s->conf->hs20 && wpabuf_resize(&extra_ie, 6) == 0)
>                 wpas_hs20_add_indication(extra_ie);
> 
> The fix should be to increase the resize value to 7 instead of 6,
> which fixed the crash.

Thanks, fixed. Please note that this configuration is not going to work
correctly since Hotspot 2.0 requires Interworking (interworking=1 in the
configuration file). Obviously wpa_supplicant is not supposed to exit
here even with such configuration, but this issue got hidden by that
interworking=1 case allocating a larger buffer to avoid this resizing
with incorrect length.

-- 
Jouni Malinen                                            PGP id EFC895FA