PASN: Fix buffer tailroom validation in wpa_pasn_add_wrapped_data()

While the initial tailroom checks covers the unfragmented case
accurately, the length of the fragment header was not counted correctly
for the case where the Wrapped Data element needs to be fragmented. This
could theoretically result in missing a case where the target buffer is
a bit shorter than all the needed fragments and the following
wpabuf_put*() operation could resulted in terminating the process due to
the additional check to prevent buffer overflows.

The existing use cases for this function within wpa_supplicant do not
seem to generate buffers that would be even close to reaching this limit
due to large buffer size used for the target. Anyway, this check needs
to be fixed to avoid any potential issues in the future or in external
uses for this function.

Fixes: 9ce123cdbf82 ("PASN: Add common Authentication frame build/validation functions")
Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index 83f8d5b0cc3251d2eb127357f171dfe3c17067ef..982e997a566b7d8ffc9ed77483b4d57748de4ff4 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -4101,7 +4101,7 @@ int wpa_pasn_add_wrapped_data(struct wpabuf *buf,
        data_len -= len - 1;
 
        while (data_len) {
-               if (wpabuf_tailroom(buf) < 1 + data_len)
+               if (wpabuf_tailroom(buf) < 2 + data_len)
                        return -1;
                wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
                len = data_len > 255 ? 255 : data_len;