From: Nevet, Eran <eran.nevet@intel.com>
Date: Tue, 9 Dec 2025 06:05:04 +0000 (+0200)
Subject: RSNO: Fix RSNXE override length check
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83be050b2b73b4a8c2721d71f3ee812c4a4fed63;p=thirdparty%2Fhostap.git

RSNO: Fix RSNXE override length check

The RSNXE override element verification checked that the element
length is at least 6 octets. However, since the minimal length
of the RSNXE is only 1 octet, change the verification to verify
at least 5 octets.

Signed-off-by: "Nevet, Eran" <eran.nevet@intel.com>
---

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 00066b2c7..6c31e3952 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3820,7 +3820,7 @@ no_pfs:
 		if (p[0] == WLAN_EID_RSNX && p[1] >= 1)
 			wpa_sm_set_ap_rsnxe(wpa_s->wpa, p, len);
 
-		if (p[0] == WLAN_EID_VENDOR_SPECIFIC && p[1] >= 6 &&
+		if (p[0] == WLAN_EID_VENDOR_SPECIFIC && p[1] >= 5 &&
 		    WPA_GET_BE32(&p[2]) == RSNXE_OVERRIDE_IE_VENDOR_TYPE)
 			wpa_sm_set_ap_rsnxe_override(wpa_s->wpa, p, len);