Fix EAP-FAST PAC file writer to avoid crash with multiple PACs

One of the pointers to the PAC buffer was not updated after realloc
and if the realloc ended up returning new pointer, the *pos pointer
was still pointing at the old location (i.e., freed memory at
this point).

diff --git a/src/eap_peer/eap_fast_pac.c b/src/eap_peer/eap_fast_pac.c
index 541cce50dc019f57d05c86d1a8c79f3a43bb979d..403728808abcfbbd9125bf475c584354c2de62ef 100644 (file)
--- a/src/eap_peer/eap_fast_pac.c
+++ b/src/eap_peer/eap_fast_pac.c
@@ -497,6 +497,7 @@ static void eap_fast_write(char **buf, char **pos, size_t *buf_len,
                        *buf = NULL;
                        return;
                }
+               *pos = nbuf + (*pos - *buf);
                *buf = nbuf;
                *buf_len += need;
        }