Multi-AP: Use proper length for remaining buffer for the element

Replace the hardcoded buffer length with the actually number of
remaining bytes on the buffer. This is needed to be able to do real
buffer size validation within add_multi_ap_ie().

Furthermore, make hostapd_eid_multi_ap() static since it is not used
outside this file.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 1526c3d1a184511eda8d1280bfd130c7fd9bc0a6..77553dc6119b09fa1c981604c04426f95362f380 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -88,7 +88,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
                              struct sta_info *sta, int reassoc);
 
 
-u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
+static u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid, size_t len)
 {
        struct multi_ap_params multi_ap = { 0 };
 
@@ -100,7 +100,7 @@ u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
        if (hapd->conf->multi_ap & FRONTHAUL_BSS)
                multi_ap.capability |= MULTI_AP_FRONTHAUL_BSS;
 
-       return eid + add_multi_ap_ie(eid, 9, &multi_ap);
+       return eid + add_multi_ap_ie(eid, len, &multi_ap);
 }
 
 
@@ -4997,7 +4997,7 @@ rsnxe_done:
 #endif /* CONFIG_WPS */
 
        if (sta && (sta->flags & WLAN_STA_MULTI_AP))
-               p = hostapd_eid_multi_ap(hapd, p);
+               p = hostapd_eid_multi_ap(hapd, p, buf + buflen - p);
 
 #ifdef CONFIG_P2P
        if (sta && sta->p2p_ie && hapd->p2p_group) {