From: Jouni Malinen Date: Thu, 9 Oct 2025 21:29:58 +0000 (+0300) Subject: PASN: Fix buffer tailroom validation in wpa_pasn_add_extra_ies() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1cf000222f337929559423746502161a8cf16c5d;p=thirdparty%2Fhostap.git PASN: Fix buffer tailroom validation in wpa_pasn_add_extra_ies() The length of the additional elements was not used correctly, so the check for remaining tailroom would not have caught cases where there is not enough remaining room in the buffer and the following wpabuf_put_data() operation would have resulted in terminating the process due to the additional check to prevent buffer overflows. The existing use cases for this function within wpa_supplicant do not seem to generate buffers that would be even close to reaching this limit due to large buffer size used for the target. Anyway, this check needs to be fixed to avoid any potential issues in the future or in external uses for this function. Fixes: b1ed44b6a699 ("PASN: Allow extra elements to be added into PASN Authentication frames") Signed-off-by: Jouni Malinen --- diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index 39da3ea70..83f8d5b0c 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -4316,7 +4316,7 @@ int wpa_pasn_add_extra_ies(struct wpabuf *buf, const u8 *extra_ies, size_t len) if (!len || !extra_ies || !buf) return 0; - if (wpabuf_tailroom(buf) < sizeof(len)) + if (wpabuf_tailroom(buf) < len) return -1; wpabuf_put_data(buf, extra_ies, len);