[PATCH] RSNO: Fix RSNXE override length check
Eran Nevet
eran.nevet at intel.com
Mon Dec 8 08:29:43 PST 2025
From: "Nevet, Eran" <eran.nevet at intel.com>
The RSNXE override element verification checked that the element
length is at least 6 octets. However, since the minimal length
of the RSNXE is only 1 octet, change the verification to verify
at least 5 octets.
Signed-off-by: "Nevet, Eran" <eran.nevet at intel.com>
---
wpa_supplicant/events.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 7ea1199cb..ff1c88aac 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3784,7 +3784,7 @@ no_pfs:
if (p[0] == WLAN_EID_RSNX && p[1] >= 1)
wpa_sm_set_ap_rsnxe(wpa_s->wpa, p, len);
- if (p[0] == WLAN_EID_VENDOR_SPECIFIC && p[1] >= 6 &&
+ if (p[0] == WLAN_EID_VENDOR_SPECIFIC && p[1] >= 5 &&
WPA_GET_BE32(&p[2]) == RSNXE_OVERRIDE_IE_VENDOR_TYPE)
wpa_sm_set_ap_rsnxe_override(wpa_s->wpa, p, len);
--
2.35.3
---------------------------------------------------------------------
Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
More information about the Hostap
mailing list