PASN: Fix buffer tailroom validation in wpa_pasn_add_extra_ies()

The length of the additional elements was not used correctly, so the
check for remaining tailroom would not have caught cases where there is
not enough remaining room in the buffer and the following
wpabuf_put_data() operation would have resulted in terminating the
process due to the additional check to prevent buffer overflows.

The existing use cases for this function within wpa_supplicant do not
seem to generate buffers that would be even close to reaching this limit
due to large buffer size used for the target. Anyway, this check needs
to be fixed to avoid any potential issues in the future or in external
uses for this function.

Fixes: b1ed44b6a699 ("PASN: Allow extra elements to be added into PASN Authentication frames")
Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index 39da3ea707c76632a16df0a5c306b7b17b0aee03..83f8d5b0cc3251d2eb127357f171dfe3c17067ef 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -4316,7 +4316,7 @@ int wpa_pasn_add_extra_ies(struct wpabuf *buf, const u8 *extra_ies, size_t len)
        if (!len || !extra_ies || !buf)
                return 0;
 
-       if (wpabuf_tailroom(buf) < sizeof(len))
+       if (wpabuf_tailroom(buf) < len)
                return -1;
 
        wpabuf_put_data(buf, extra_ies, len);