From: Bruno.Kremp@sony.com <Bruno.Kremp@sony.com>
Date: Fri, 19 Dec 2025 10:25:46 +0000 (+0000)
Subject: Fix ieee802_11_defrag_mle_subelem() check on remaining buffer
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b1cd4686c76a79fb4cc4a46dfb61e28bc521dba;p=thirdparty%2Fhostap.git

Fix ieee802_11_defrag_mle_subelem() check on remaining buffer

The end pointer moves as well when cutting out a subelement
header. While the previous version checked against the original full
buffer, it is more accurate to check against the updated end of the
buffer.

Signed-off-by: Bruno Kremp <bruno.kremp@sony.com>
---

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 5d1e02f81..5bcab11df 100644
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -3524,6 +3524,7 @@ ssize_t ieee802_11_defrag_mle_subelem(struct wpabuf *mlbuf,
 			return -1;
 
 		os_memmove(pos, pos + 2, end - (pos + 2));
+		end -= 2;
 		pos += elen - 2;
 		subelem_len += elen - 2;