From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Tue, 19 Mar 2024 14:44:00 +0000 (+0200)
Subject: Multi-AP: Use proper length for remaining buffer for the element
X-Git-Tag: hostap_2_11~274
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e2ca2e4e2ad97f2ec914f8be48435b1f3224e3e;p=thirdparty%2Fhostap.git

Multi-AP: Use proper length for remaining buffer for the element

Replace the hardcoded buffer length with the actually number of
remaining bytes on the buffer. This is needed to be able to do real
buffer size validation within add_multi_ap_ie().

Furthermore, make hostapd_eid_multi_ap() static since it is not used
outside this file.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 1526c3d1a..77553dc61 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -88,7 +88,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
 			      struct sta_info *sta, int reassoc);
 
 
-u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
+static u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid, size_t len)
 {
 	struct multi_ap_params multi_ap = { 0 };
 
@@ -100,7 +100,7 @@ u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
 	if (hapd->conf->multi_ap & FRONTHAUL_BSS)
 		multi_ap.capability |= MULTI_AP_FRONTHAUL_BSS;
 
-	return eid + add_multi_ap_ie(eid, 9, &multi_ap);
+	return eid + add_multi_ap_ie(eid, len, &multi_ap);
 }
 
 
@@ -4997,7 +4997,7 @@ rsnxe_done:
 #endif /* CONFIG_WPS */
 
 	if (sta && (sta->flags & WLAN_STA_MULTI_AP))
-		p = hostapd_eid_multi_ap(hapd, p);
+		p = hostapd_eid_multi_ap(hapd, p, buf + buflen - p);
 
 #ifdef CONFIG_P2P
 	if (sta && sta->p2p_ie && hapd->p2p_group) {