From: Adiel Aloni <adiel.aloni@intel.com>
Date: Mon, 21 Aug 2017 16:36:25 +0000 (+0300)
Subject: wpa_supplicant: Check length when building ext_capability in assoc_cb
X-Git-Tag: hostap_2_7~1117
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c66c7d115368f0875d89d7fbd25e9209ea3d915;p=thirdparty%2Fhostap.git

wpa_supplicant: Check length when building ext_capability in assoc_cb

When building wpa_ie in wpas_start_assoc_cb() with ext_capab,
make sure that assignment does not exceed max_wpa_ie_len.

Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
---

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 88142675e..00ef3a4b5 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2572,7 +2572,8 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
 		int ext_capab_len;
 		ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
 						     sizeof(ext_capab));
-		if (ext_capab_len > 0) {
+		if (ext_capab_len > 0 &&
+		    wpa_ie_len + ext_capab_len <= max_wpa_ie_len) {
 			u8 *pos = wpa_ie;
 			if (wpa_ie_len > 0 && pos[0] == WLAN_EID_RSN)
 				pos += 2 + pos[1];