From: Jouni Malinen Date: Thu, 9 Oct 2025 21:41:23 +0000 (+0300) Subject: PASN: Fix buffer tailroom validation in wpa_pasn_add_wrapped_data() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb41fdcf2f8e2fb9677c3424036860afc146c297;p=thirdparty%2Fhostap.git PASN: Fix buffer tailroom validation in wpa_pasn_add_wrapped_data() While the initial tailroom checks covers the unfragmented case accurately, the length of the fragment header was not counted correctly for the case where the Wrapped Data element needs to be fragmented. This could theoretically result in missing a case where the target buffer is a bit shorter than all the needed fragments and the following wpabuf_put*() operation could resulted in terminating the process due to the additional check to prevent buffer overflows. The existing use cases for this function within wpa_supplicant do not seem to generate buffers that would be even close to reaching this limit due to large buffer size used for the target. Anyway, this check needs to be fixed to avoid any potential issues in the future or in external uses for this function. Fixes: 9ce123cdbf82 ("PASN: Add common Authentication frame build/validation functions") Signed-off-by: Jouni Malinen --- diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index 83f8d5b0c..982e997a5 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -4101,7 +4101,7 @@ int wpa_pasn_add_wrapped_data(struct wpabuf *buf, data_len -= len - 1; while (data_len) { - if (wpabuf_tailroom(buf) < 1 + data_len) + if (wpabuf_tailroom(buf) < 2 + data_len) return -1; wpabuf_put_u8(buf, WLAN_EID_FRAGMENT); len = data_len > 255 ? 255 : data_len;