[PATCH] RSNO: Fix RSNXE override length check
Eran Nevet
eran.nevet at intel.com
Mon Dec 8 22:05:04 PST 2025
From: "Nevet, Eran" <eran.nevet at intel.com>
The RSNXE override element verification checked that the element
length is at least 6 octets. However, since the minimal length
of the RSNXE is only 1 octet, change the verification to verify
at least 5 octets.
Signed-off-by: "Nevet, Eran" <eran.nevet at intel.com>
---
wpa_supplicant/events.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 7ea1199cb..ff1c88aac 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3784,7 +3784,7 @@ no_pfs:
if (p[0] == WLAN_EID_RSNX && p[1] >= 1)
wpa_sm_set_ap_rsnxe(wpa_s->wpa, p, len);
- if (p[0] == WLAN_EID_VENDOR_SPECIFIC && p[1] >= 6 &&
+ if (p[0] == WLAN_EID_VENDOR_SPECIFIC && p[1] >= 5 &&
WPA_GET_BE32(&p[2]) == RSNXE_OVERRIDE_IE_VENDOR_TYPE)
wpa_sm_set_ap_rsnxe_override(wpa_s->wpa, p, len);
--
2.35.3
More information about the Hostap
mailing list