From: Jouni Malinen <j@w1.fi>
Date: Sat, 4 Dec 2010 19:37:41 +0000 (-0800)
Subject: Fix EAP-FAST PAC file writer to avoid crash with multiple PACs
X-Git-Tag: hostap-1-bp~706
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c4d7fc90a2629500f370ccef553fd848c3c95c64;p=thirdparty%2Fhostap.git

Fix EAP-FAST PAC file writer to avoid crash with multiple PACs

One of the pointers to the PAC buffer was not updated after realloc
and if the realloc ended up returning new pointer, the *pos pointer
was still pointing at the old location (i.e., freed memory at
this point).
---

diff --git a/src/eap_peer/eap_fast_pac.c b/src/eap_peer/eap_fast_pac.c
index 541cce50d..403728808 100644
--- a/src/eap_peer/eap_fast_pac.c
+++ b/src/eap_peer/eap_fast_pac.c
@@ -497,6 +497,7 @@ static void eap_fast_write(char **buf, char **pos, size_t *buf_len,
 			*buf = NULL;
 			return;
 		}
+		*pos = nbuf + (*pos - *buf);
 		*buf = nbuf;
 		*buf_len += need;
 	}