iw: scan: fix buffer over-read in parsing roaming consortium

ANQP and OI length are always present, increase min. length by 2.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Link: https://lore.kernel.org/r/20200209165902.44110-5-markus.theil@tu-ilmenau.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/scan.c b/scan.c
index 49db7f1c0209ed26db1073db07c82914192cb04d..e8a7afdfb00d46843ef44dd23f4d96340477e2ff 100644 (file)
--- a/scan.c
+++ b/scan.c
@@ -1716,7 +1716,7 @@ static const struct ie_print ieprinters[] = {
        [127] = { "Extended capabilities", print_capabilities, 0, 255, BIT(PRINT_SCAN), },
        [107] = { "802.11u Interworking", print_interworking, 0, 255, BIT(PRINT_SCAN), },
        [108] = { "802.11u Advertisement", print_11u_advert, 0, 255, BIT(PRINT_SCAN), },
-       [111] = { "802.11u Roaming Consortium", print_11u_rcon, 0, 255, BIT(PRINT_SCAN), },
+       [111] = { "802.11u Roaming Consortium", print_11u_rcon, 2, 255, BIT(PRINT_SCAN), },
        [195] = { "Transmit Power Envelope", print_tx_power_envelope, 2, 5, BIT(PRINT_SCAN), },
 };