RSNO: Fix RSNXE override length check

The RSNXE override element verification checked that the element
length is at least 6 octets. However, since the minimal length
of the RSNXE is only 1 octet, change the verification to verify
at least 5 octets.

Signed-off-by: "Nevet, Eran" <eran.nevet@intel.com>

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 00066b2c7dc9f3087d81a73b03a798cf62b7f8b9..6c31e3952b92275000f81d82bafc328bd2cbed49 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3820,7 +3820,7 @@ no_pfs:
                if (p[0] == WLAN_EID_RSNX && p[1] >= 1)
                        wpa_sm_set_ap_rsnxe(wpa_s->wpa, p, len);
 
-               if (p[0] == WLAN_EID_VENDOR_SPECIFIC && p[1] >= 6 &&
+               if (p[0] == WLAN_EID_VENDOR_SPECIFIC && p[1] >= 5 &&
                    WPA_GET_BE32(&p[2]) == RSNXE_OVERRIDE_IE_VENDOR_TYPE)
                        wpa_sm_set_ap_rsnxe_override(wpa_s->wpa, p, len);