The IE header length check was off-by-one and that could allow the loop
to read one octet beyond the end of the buffer before breaking out in
the second check.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14927
Fixes: 0a66ce3c49db ("WNM: Add support for SSID List element matching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
pos = ssid_list;
end = ssid_list + ssid_list_len;
- while (end - pos >= 1) {
+ while (end - pos >= 2) {
if (2 + pos[1] > end - pos)
break;
if (pos[1] == 0)