HS 2.0: Fix IE buffer length for extra scan IEs

The HS 2.0 Indication element is 7 (not 6) octets. The previous
implementation could result in wpabuf validation code stopping the
program if HS 2.0 was enabled without Interworking or P2P (which would
have created a large enough buffer to avoid hitting this) being enable.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/scan.c b/wpa_supplicant/scan.c
index 25a9ef821ef8da9aabde51bcd03a5719a892ce73..19405a453892ef87f76b522eb18b77edd09194c3 100644 (file)
--- a/wpa_supplicant/scan.c
+++ b/wpa_supplicant/scan.c
@@ -735,7 +735,7 @@ ssid_list_set:
        extra_ie = wpa_supplicant_extra_ies(wpa_s);
 
 #ifdef CONFIG_HS20
-       if (wpa_s->conf->hs20 && wpabuf_resize(&extra_ie, 6) == 0)
+       if (wpa_s->conf->hs20 && wpabuf_resize(&extra_ie, 7) == 0)
                wpas_hs20_add_indication(extra_ie);
 #endif /* CONFIG_HS20 */